\chapter{Machine-Level ISA, Version 1.12}
\label{machine}

This chapter describes the machine-level operations available in
machine-mode (M-mode), which is the highest privilege mode in a RISC-V
system.  M-mode is used for low-level access to a
hardware platform and is the first mode entered at reset.  M-mode can
also be used to implement features that are too difficult or expensive
to implement in hardware directly.  The RISC-V machine-level ISA
contains a common core that is extended depending on which other
privilege levels are supported and other details of the hardware
implementation.

\section{Machine-Level CSRs}

In addition to the machine-level CSRs described in this section,
M-mode code can access all CSRs at lower privilege levels.

\subsection{Machine ISA Register {\tt misa}}
\label{sec:misa}

The {\tt misa} CSR is a \warl\ read-write register
reporting the ISA supported by the hart.  This register must be
readable in any implementation, but a value of zero can be returned to
indicate the {\tt misa} register has not been implemented, requiring
that CPU capabilities be determined through a separate non-standard
mechanism.

\begin{figure*}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{c@{}c@{}L}
\instbitrange{MXLEN-1}{MXLEN-2} &
\instbitrange{MXLEN-3}{26} &
\instbitrange{25}{0} \\
\hline
\multicolumn{1}{|c|}{MXL[1:0] (\warl)} &
\multicolumn{1}{c|}{0 (\warl)} &
\multicolumn{1}{c|}{Extensions[25:0] (\warl)} \\
\hline
2 & MXLEN-28 & 26 \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Machine ISA register ({\tt misa}).}
\label{misareg}
\end{figure*}

The MXL (Machine XLEN) field encodes the native base integer ISA width
as shown in Table~\ref{misabase}.  The MXL field may be writable in
implementations that support multiple base ISA widths.  The effective
XLEN in M-mode, {\em MXLEN}, is given by the setting of MXL, or has a
fixed value if {\tt misa} is zero.  The MXL field is always set to the
widest supported ISA variant at reset.

\begin{table*}[h!]
\begin{center}
\begin{tabular}{|r|r|}
\hline
MXL  & XLEN \\
\hline	 
1   & 32 \\
2   & 64 \\
3   & 128 \\
\hline
\end{tabular}
\end{center}
\caption{Encoding of MXL field in {\tt misa}}
\label{misabase}
\end{table*}

The {\tt misa} CSR is MXLEN bits wide.  If the value read from {\tt misa} is
nonzero, field MXL of that value always denotes the current MXLEN. If a write
to {\tt misa} causes MXLEN to change, the position of MXL moves to the
most-significant two bits of {\tt misa} at the new width.

\begin{commentary}
The base width can be quickly ascertained using branches on the sign
of the returned {\tt misa} value, and possibly a shift left by one and
a second branch on the sign.  These checks can be written in assembly
code without knowing the register width (XLEN) of the machine.  The
base width is given by $\mbox{XLEN}=2^{\mbox{MXL+4}}$.

The base width can also be found if {\tt misa} is zero, by placing the
immediate 4 in a register then shifting the register left by 31 bits
at a time.  If zero after one shift, then the machine is RV32.  If
zero after two shifts, then the machine is RV64, else RV128.
\end{commentary}

The Extensions field encodes the presence of the standard extensions,
with a single bit per letter of the alphabet (bit 0 encodes presence
of extension ``A'' , bit 1 encodes presence of extension ``B'',
through to bit 25 which encodes ``Z'').  The ``I'' bit will be set for
RV32I, RV64I, RV128I base ISAs, and the ``E'' bit will be set for
RV32E.  The Extensions field is a \warl\ field that can contain writable bits
where the implementation allows the supported ISA to be modified.  At
reset, the Extensions field shall contain the maximal set of supported
extensions, and I shall be selected over E if both are available.

When a standard extension is disabled by clearing its bit in {\tt misa}, the instructions and CSRs defined or modified by the extension revert to their defined or reserved behaviors as if the extension is not implemented.

The RV128I base ISA is not yet frozen, and while much of the remainder of this
specification is expected to apply to RV128, this version of the document
focuses only on RV32 and RV64.

The ``U'' and ``S'' bits will be set if there is support for user and
supervisor modes respectively.

The ``X'' bit will be set if there are any non-standard extensions.

\begin{table*}
\begin{center}
\begin{tabular}{|r|r|l|}
\hline
Bit & Character  & Description \\
\hline	 
  0 & A & Atomic extension \\
  1 & B & {\em Tentatively reserved for Bit-Manipulation extension} \\
  2 & C & Compressed extension \\
  3 & D & Double-precision floating-point extension \\
  4 & E & RV32E base ISA \\
  5 & F & Single-precision floating-point extension \\
  6 & G & {\em Reserved} \\
  7 & H & Hypervisor extension \\
  8 & I & RV32I/64I/128I base ISA \\
  9 & J & {\em Tentatively reserved for Dynamically Translated Languages extension} \\
 10 & K & {\em Reserved} \\
 11 & L & {\em Tentatively reserved for Decimal Floating-Point extension} \\
 12 & M & Integer Multiply/Divide extension \\
 13 & N & User-level interrupts supported \\
 14 & O & {\em Reserved} \\
 15 & P & {\em Tentatively reserved for Packed-SIMD extension} \\
 16 & Q & Quad-precision floating-point extension \\
 17 & R & {\em Reserved} \\
 18 & S & Supervisor mode implemented \\
 19 & T & {\em Tentatively reserved for Transactional Memory extension} \\
 20 & U & User mode implemented \\
 21 & V & {\em Tentatively reserved for Vector extension} \\
 22 & W & {\em Reserved} \\
 23 & X & Non-standard extensions present \\
 24 & Y & {\em Reserved} \\
 25 & Z & {\em Reserved} \\
\hline
\end{tabular}
\end{center}
\caption{Encoding of Extensions field in {\tt misa}.  All bits that are
  reserved for future use must return zero when read.}
\label{misaletters}
\end{table*}


\begin{commentary}
The {\tt misa} CSR exposes a rudimentary catalog of CPU features
to machine-mode code.  More extensive information can be obtained in
machine mode by probing other machine registers, and examining other
ROM storage in the system as part of the boot process.

We require that lower privilege levels execute environment calls
instead of reading CPU registers to determine features available at
each privilege level. This enables virtualization layers to alter the
ISA observed at any level, and supports a much richer command
interface without burdening hardware designs.
\end{commentary}

The ``E'' bit is read-only.  Unless {\tt misa} is hardwired to zero, the ``E''
bit always reads as the complement of the ``I'' bit.  An implementation that
supports both RV32E and RV32I can select RV32E by clearing the ``I'' bit.

If an ISA feature {\em x} depends on an ISA feature {\em y}, then attempting
to enable feature {\em x} but disable feature {\em y} results in both features
being disabled.  For example, setting ``F''=0 and ``D''=1 results in both
``F'' and ``D'' being cleared.

An implementation may impose additional constraints on the collective setting
of two or more {\tt misa} fields, in which case they function collectively as
a single \warl\ field.  An attempt to write an unsupported combination causes
those bits to be set to some supported combination.

Writing {\tt misa} may increase IALIGN, e.g., by disabling the ``C''
extension.
If an instruction that would write {\tt misa} increases IALIGN, and
the subsequent instruction's address is not IALIGN-bit aligned, the
write to {\tt misa} is suppressed, leaving {\tt misa} unchanged.

When software enables an extension that was previously disabled, then all
state uniquely associated with that extension is \unspecified, unless
otherwise specified by that extension.

\subsection{Machine Vendor ID Register {\tt mvendorid}}

The {\tt mvendorid} CSR is a 32-bit read-only register providing
the JEDEC manufacturer ID of the provider of the core.  This register
must be readable in any implementation, but a value of 0 can be
returned to indicate the field is not implemented or that this is a
non-commercial implementation.

\begin{figure*}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{JS}
\instbitrange{31}{7} &
\instbitrange{6}{0} \\
\hline
\multicolumn{1}{|c|}{Bank} &
\multicolumn{1}{c|}{Offset} \\
\hline
25 & 7 \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Vendor ID register ({\tt mvendorid}).}
\label{mvendorreg}
\end{figure*}

JEDEC manufacturer IDs are ordinarily encoded as a sequence of one-byte
continuation codes {\tt 0x7f}, terminated by a one-byte ID not equal to
{\tt 0x7f}, with an odd parity bit in the most-significant bit of each byte.
{\tt mvendorid} encodes the number of one-byte continuation
codes in the Bank field, and encodes the final byte in the Offset field,
discarding the parity bit.  For example, the JEDEC manufacturer ID
{\tt 0x7f 0x7f 0x7f 0x7f 0x7f 0x7f 0x7f 0x7f 0x7f 0x7f 0x7f 0x7f 0x8a}
(twelve continuation codes followed by {\tt 0x8a}) would be encoded in the
{\tt mvendorid} field as {\tt 0x60a}.

\begin{commentary}
In JEDEC's parlance, the bank number is one greater than the number of
continuation codes; hence, the {\tt mvendorid} Bank field encodes a value
that is one less than the JEDEC bank number.
\end{commentary}

\begin{commentary}
Previously the vendor ID was to be a number allocated by the RISC-V
Foundation, but this duplicates the work of JEDEC in maintaining a
manufacturer ID standard.  At time of writing, registering a
manufacturer ID with JEDEC has a one-time cost of \$500.
\end{commentary}

\subsection{Machine Architecture ID Register {\tt marchid}}

The {\tt marchid} CSR is an MXLEN-bit read-only register encoding the
base microarchitecture of the hart.  This register must be readable in
any implementation, but a value of 0 can be returned to indicate the
field is not implemented.  The combination of {\tt mvendorid} and {\tt
  marchid} should uniquely identify the type of hart microarchitecture
that is implemented.

\begin{figure*}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{J}
\instbitrange{MXLEN-1}{0} \\
\hline
\multicolumn{1}{|c|}{Architecture ID} \\
\hline
MXLEN \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Machine Architecture ID register ({\tt marchid}).}
\label{marchreg}
\end{figure*}

Open-source project architecture IDs are allocated globally by the
RISC-V Foundation, and have non-zero architecture IDs with a zero
most-significant-bit (MSB).  Commercial architecture IDs are allocated
by each commercial vendor independently, but must have the MSB set and
cannot contain zero in the remaining MXLEN-1 bits.

\begin{commentary}
The intent is for the architecture ID to represent the
microarchitecture associated with the repo around which development
occurs rather than a particular organization.  Commercial fabrications
of open-source designs should (and might be required by the license
to) retain the original architecture ID.  This will aid in reducing
fragmentation and tool support costs, as well as provide attribution.
Open-source architecture IDs should be administered by the Foundation
and should only be allocated to released, functioning open-source
projects.  Commercial architecture IDs can be managed independently by
any registered vendor but are required to have IDs disjoint from the
open-source architecture IDs (MSB set) to prevent collisions if a
vendor wishes to use both closed-source and open-source
microarchitectures.

The convention adopted within the following Implementation field can
be used to segregate branches of the same architecture design,
including by organization.  The {\tt misa} register also helps
distinguish different variants of a design.
\end{commentary}

\subsection{Machine Implementation ID Register {\tt mimpid}}

The {\tt mimpid} CSR provides a unique encoding of the version of the
processor implementation.  This register must be readable in any
implementation, but a value of 0 can be returned to indicate that the
field is not implemented.  The Implementation value should reflect the
design of the RISC-V processor itself and not any surrounding system.

\begin{figure*}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{J}
\instbitrange{MXLEN-1}{0} \\
\hline
\multicolumn{1}{|c|}{Implementation}  \\
\hline
MXLEN \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Machine Implementation ID register ({\tt mimpid}).}
\label{mimpidreg}
\end{figure*}

\begin{commentary}
The format of this field is left to the provider of the architecture
source code, but will often be printed by standard tools as a
hexadecimal string without any leading or trailing zeros, so the
Implementation value can be left-justified (i.e., filled in from
most-significant nibble down) with subfields aligned on nibble
boundaries to ease human readability.
\end{commentary}

\subsection{Hart ID Register {\tt mhartid}}

The {\tt mhartid} CSR is an MXLEN-bit read-only register
containing the integer ID of the hardware thread running the code.
This register must be readable in any implementation.  Hart IDs might
not necessarily be numbered contiguously in a multiprocessor system,
but at least one hart must have a hart ID of zero.  Hart IDs must be
unique within the execution environment.

\begin{figure*}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{J}
\instbitrange{MXLEN-1}{0} \\
\hline
\multicolumn{1}{|c|}{Hart ID}\\
\hline
MXLEN \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Hart ID register ({\tt mhartid}).}
\label{mhartidreg}
\end{figure*}


\begin{commentary}
In certain cases, we must ensure exactly one hart runs some code
(e.g., at reset), and so require one hart to have a known hart ID of
zero.

For efficiency, system implementers should aim to reduce the magnitude
of the largest hart ID used in a system.
\end{commentary}

\subsection{Machine Status Registers ({\tt mstatus} and {\tt mstatush})}

The {\tt mstatus} register is an MXLEN-bit read/write register
formatted as shown in Figure~\ref{mstatusreg} for RV64 and
Figure~\ref{mstatusreg-rv32} for RV32.  The {\tt mstatus}
register keeps track of and controls the hart's current operating
state.  A restricted view of {\tt mstatus} appears as the
{\tt sstatus} register in the S-level ISA.

\begin{figure*}[h!]
{\footnotesize
\begin{center}
\setlength{\tabcolsep}{4pt}
\scalebox{0.95}{
\begin{tabular}{cRccccYcccccc}
\\
\instbit{MXLEN-1} &
\instbitrange{MXLEN-2}{38} &
\instbit{37} &
\instbit{36} &
\instbitrange{35}{34} &
\instbitrange{33}{32} &
\instbitrange{31}{23} &
\instbit{22} &
\instbit{21} &
\instbit{20} &
\instbit{19} &
\instbit{18} &
 \\
\hline
\multicolumn{1}{|c|}{SD} &
\multicolumn{1}{c|}{\wpri} &
\multicolumn{1}{c|}{MBE} &
\multicolumn{1}{c|}{SBE} &
\multicolumn{1}{c|}{SXL[1:0]} &
\multicolumn{1}{c|}{UXL[1:0]} &
\multicolumn{1}{c|}{\wpri} &
\multicolumn{1}{c|}{TSR} &
\multicolumn{1}{c|}{TW} &
\multicolumn{1}{c|}{TVM} &
\multicolumn{1}{c|}{MXR} &
\multicolumn{1}{c|}{SUM} &
 \\
\hline
1 & MXLEN-39 & 1 & 1 & 2 & 2 & 9 & 1 & 1 & 1 & 1 & 1 & \\
\end{tabular}}
\scalebox{0.95}{
\begin{tabular}{ccWWcWccccccccc}
\\
&
\instbit{17} &
\instbitrange{16}{15} &
\instbitrange{14}{13} &
\instbitrange{12}{11} &
\instbitrange{10}{9} &
\instbit{8} &
\instbit{7} &
\instbit{6} &
\instbit{5} &
\instbit{4} &
\instbit{3} &
\instbit{2} &
\instbit{1} &
\instbit{0} \\
\hline
 &
\multicolumn{1}{|c|}{MPRV} &
\multicolumn{1}{c|}{XS[1:0]} &
\multicolumn{1}{c|}{FS[1:0]} &
\multicolumn{1}{c|}{MPP[1:0]} &
\multicolumn{1}{c|}{\wpri} &
\multicolumn{1}{c|}{SPP} &
\multicolumn{1}{c|}{MPIE} &
\multicolumn{1}{c|}{UBE} &
\multicolumn{1}{c|}{SPIE} &
\multicolumn{1}{c|}{\wpri} &
\multicolumn{1}{c|}{MIE} &
\multicolumn{1}{c|}{\wpri} &
\multicolumn{1}{c|}{SIE} &
\multicolumn{1}{c|}{\wpri} \\
\hline
 & 1 & 2 & 2 & 2 & 2 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 \\
\end{tabular}}
\end{center}
}
\vspace{-0.1in}
\caption{Machine-mode status register ({\tt mstatus}) for RV64.}
\label{mstatusreg}
\end{figure*}

\begin{figure*}[h!]
{\footnotesize
\begin{center}
\setlength{\tabcolsep}{4pt}
\begin{tabular}{cKccccccc}
\\
\instbit{31} &
\instbitrange{30}{23} &
\instbit{22} &
\instbit{21} &
\instbit{20} &
\instbit{19} &
\instbit{18} &
\instbit{17} &
 \\
\hline
\multicolumn{1}{|c|}{SD} &
\multicolumn{1}{c|}{\wpri} &
\multicolumn{1}{c|}{TSR} &
\multicolumn{1}{c|}{TW} &
\multicolumn{1}{c|}{TVM} &
\multicolumn{1}{c|}{MXR} &
\multicolumn{1}{c|}{SUM} &
\multicolumn{1}{c|}{MPRV} &
 \\
\hline
1 & 8 & 1 & 1 & 1 & 1 & 1 & 1 & \\
\end{tabular}
\begin{tabular}{cWWcWccccccccc}
\\
&
\instbitrange{16}{15} &
\instbitrange{14}{13} &
\instbitrange{12}{11} &
\instbitrange{10}{9} &
\instbit{8} &
\instbit{7} &
\instbit{6} &
\instbit{5} &
\instbit{4} &
\instbit{3} &
\instbit{2} &
\instbit{1} &
\instbit{0} \\
\hline
 &
\multicolumn{1}{|c|}{XS[1:0]} &
\multicolumn{1}{c|}{FS[1:0]} &
\multicolumn{1}{c|}{MPP[1:0]} &
\multicolumn{1}{c|}{\wpri} &
\multicolumn{1}{c|}{SPP} &
\multicolumn{1}{c|}{MPIE} &
\multicolumn{1}{c|}{UBE} &
\multicolumn{1}{c|}{SPIE} &
\multicolumn{1}{c|}{\wpri} &
\multicolumn{1}{c|}{MIE} &
\multicolumn{1}{c|}{\wpri} &
\multicolumn{1}{c|}{SIE} &
\multicolumn{1}{c|}{\wpri} \\
\hline
 & 2 & 2 & 2 & 2 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Machine-mode status register ({\tt mstatus}) for RV32.}
\label{mstatusreg-rv32}
\end{figure*}

For RV32 only, {\tt mstatush} is a 32-bit read/write register formatted
as shown in Figure~\ref{mstatushreg}.
Bits 30:4 of {\tt mstatush} generally contain the same fields found in
bits 62:36 of {\tt mstatus} for RV64.
Fields SD, SXL, and UXL do not exist in {\tt mstatush}.

The {\tt mstatush} register is not required to be implemented if every field
would be hardwired to zero.

\begin{figure*}[h!]
{\footnotesize
\begin{center}
\setlength{\tabcolsep}{4pt}
\begin{tabular}{JccF}
\\
\instbitrange{31}{6} &
\instbit{5} &
\instbit{4} &
\instbitrange{3}{0} \\
\hline
\multicolumn{1}{|c|}{\wpri} &
\multicolumn{1}{c|}{MBE} &
\multicolumn{1}{c|}{SBE} &
\multicolumn{1}{c|}{\wpri} \\
\hline
26 & 1 & 1 & 4 \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Additional machine-mode status register ({\tt mstatush}) for RV32.}
\label{mstatushreg}
\end{figure*}


\subsubsection{Privilege and Global Interrupt-Enable Stack in {\tt mstatus} register}
\label{privstack}

Global interrupt-enable bits, MIE and SIE, are provided for M-mode and
S-mode respectively.
These bits are primarily used to guarantee atomicity
with respect to interrupt handlers in the current privilege mode.

\begin{commentary}
The global {\em x}\/IE bits are located in the low-order bits of {\tt mstatus},
allowing them to be atomically set or cleared with a single CSR
instruction.
\end{commentary}

When a hart is executing in privilege mode {\em x}, interrupts are
globally enabled when {\em x}\/IE=1 and globally disabled when {\em
  x}\/IE=0.  Interrupts for lower-privilege modes, {\em w}$<${\em x},
are always globally disabled regardless of the setting of any global
{\em w}\/IE bit for the lower-privilege mode.
Interrupts for
higher-privilege modes, {\em y}$>${\em x}, are always globally enabled
regardless of the setting of the global {\em y}\/IE bit for the
higher-privilege mode.
Higher-privilege-level code can use separate
per-interrupt enable bits to disable selected higher-privilege-mode
interrupts before ceding control to a lower-privilege mode.

\begin{commentary}
  A higher-privilege mode {\em y} could disable all of its interrupts
  before ceding control to a lower-privilege mode but this would be
  unusual as it would leave only a synchronous trap, non-maskable
  interrupt, or reset as means to regain control of the hart.
\end{commentary}

To support nested traps, each privilege mode {\em x} that can respond to
interrupts has a two-level
stack of interrupt-enable bits and privilege modes.  {\em x}\/PIE
holds the value of the interrupt-enable bit active prior to the trap,
and {\em x}\/PP holds the previous privilege mode.  The {\em x}\/PP
fields can only hold privilege modes up to {\em x}, so MPP is
two bits wide and SPP is one bit wide.  When
a trap is taken from privilege mode {\em y} into privilege mode {\em
  x}, {\em x}\/PIE is set to the value of {\em x}\/IE; {\em x}\/IE is set to
0; and {\em x}\/PP is set to {\em y}.

\begin{commentary}
For lower privilege modes, any trap (synchronous or asynchronous) is
usually taken at a higher privilege mode with interrupts disabled upon entry.
The higher-level trap handler will either service the trap and return
using the stacked information, or, if not returning immediately to the
interrupted context, will save the privilege stack before re-enabling
interrupts, so only one entry per stack is required.
\end{commentary}

An MRET or SRET instruction is used to return from
a trap in M-mode or S-mode respectively.  When
executing an {\em x}\/RET instruction, supposing {\em x}\/PP holds the
value {\em y}, {\em x}\/IE is set to {\em x}\/PIE; the privilege mode
is changed to {\em y}; {\em x}\/PIE is set to 1; and {\em x}\/PP is
set to the least-privileged supported mode (U if U-mode is implemented, else M).
If {\em x}\/PP$\neq$M, {\em x}\/RET also sets MPRV=0.

\begin{commentary}
Setting {\em x}\/PP to the least-privileged supported mode on an {\em x}\/RET
helps identify software bugs in the management of the two-level privilege-mode
stack.
\end{commentary}

{\em x}\/PP fields are \warl\ fields that can hold only privilege mode {\em x}
and any implemented privilege mode lower than {\em x}.  If privilege mode {\em
x} is not implemented, then {\em x}\/PP must be hardwired to 0.

\begin{commentary}
M-mode software can determine whether a privilege mode is implemented
by writing that mode to MPP then reading it back.

If the machine provides only U and M modes, then only a single
hardware storage bit is required to represent either 00 or 11 in MPP.
\end{commentary}

\subsubsection{Base ISA Control in {\tt mstatus} Register}
\label{xlen-control}

For RV64 systems, the SXL and UXL fields are \warl\ fields
that control the value of XLEN for S-mode and U-mode,
respectively. The encoding of these fields is the same as the MXL
field of {\tt misa}, shown in Table~\ref{misabase}.  The effective
XLEN in S-mode and U-mode are termed {\em SXLEN} and {\em UXLEN},
respectively.

For RV32 systems, the SXL and UXL fields do not exist, and
SXLEN=32 and UXLEN=32.

For RV64 systems, if S-mode is not supported, then SXL is hardwired
to zero.  Otherwise, it is a \warl\ field that encodes the current value of
SXLEN.  In particular, an implementation may make SXL be a read-only
field whose value always ensures that SXLEN=MXLEN.

For RV64 systems, if U-mode is not supported, then UXL is hardwired
to zero.  Otherwise, it is a \warl\ field that encodes the current value of
UXLEN.  In particular, an implementation may make UXL be a read-only
field whose value always ensures that UXLEN=MXLEN or UXLEN=SXLEN.

Whenever XLEN in any mode is set to a value less than the widest
supported XLEN, all operations must ignore source operand register
bits above the configured XLEN, and must sign-extend results to fill
the entire widest supported XLEN in the destination register.
Similarly, {\tt pc} bits above XLEN are ignored, and when the {\tt pc}
is written, it is sign-extended to fill the widest supported XLEN.
\begin{commentary}
We require that operations always fill the entire underlying hardware
registers with defined values to avoid implementation-defined
behavior.

To reduce hardware complexity, the architecture imposes no checks that
lower-privilege modes have XLEN settings less than or equal to the
next-higher privilege mode.  In practice, such settings would almost
always be a software bug, but machine operation is well-defined even in this
case.
\end{commentary}

If MXLEN is changed from 32 to a wider width, each of {\tt mstatus} fields SXL and
UXL, if not restricted to a single value, gets the value corresponding to the
widest supported width not wider than the new MXLEN.

\subsubsection{Memory Privilege in {\tt mstatus} Register}

The MPRV (Modify PRiVilege) bit modifies the privilege level at which loads
and stores execute.  When MPRV=0, loads and stores
behave as normal, using the translation and protection mechanisms of the
current privilege mode.
When MPRV=1, load and store memory addresses are translated and protected, and
endianness is applied, as though the current privilege mode were set to MPP.
Instruction address-translation and protection are unaffected by the setting
of MPRV.  MPRV is hardwired to 0 if U-mode is not supported.

An MRET or SRET instruction that changes the privilege mode to a mode
less privileged than M also sets MPRV=0.

The MXR (Make eXecutable Readable) bit modifies the privilege with which loads
access virtual memory.  When MXR=0, only loads from pages marked readable (R=1
in Figure~\ref{sv32pte}) will succeed.  When MXR=1, loads from pages marked
either readable or executable (R=1 or X=1) will succeed.  MXR has no effect
when page-based virtual memory is not in effect.  MXR is hardwired to 0 if
S-mode is not supported.

\begin{commentary}
The MPRV and MXR mechanisms were conceived to improve the efficiency of M-mode
routines that emulate missing hardware features, e.g., misaligned loads and
stores.  MPRV obviates the need to perform address translation in software.
MXR allows instruction words to be loaded from pages marked execute-only.

The current privilege mode and the privilege mode specified by MPP might have
different XLEN settings.  When MPRV=1, load and store memory addresses are
treated as though the current XLEN were set to MPP's XLEN, following the rules
in Section~\ref{xlen-control}.
\end{commentary}

The SUM (permit Supervisor User Memory access) bit modifies the privilege with
which S-mode loads and stores access virtual memory.
When SUM=0, S-mode memory accesses to pages that are accessible by U-mode (U=1
in Figure~\ref{sv32pte}) will fault.  When SUM=1, these accesses are
permitted.  SUM has no effect when page-based virtual memory is not in effect.
Note that, while SUM is ordinarily ignored when not executing in S-mode, it
{\em is} in effect when MPRV=1 and MPP=S.  SUM is hardwired to 0 if S-mode is
not supported.

The MXR and SUM mechanisms only affect the interpretation of permissions
encoded in page-table entries.  In particular, they have no impact on whether
access-fault exceptions are raised due to PMAs or PMP.

\subsubsection{Endianness Control in {\tt mstatus} and {\tt mstatush} Registers}

The MBE, SBE, and UBE bits in {\tt mstatus} and {\tt mstatush} are
\warl\ fields that control the endianness of memory accesses other than
instruction fetches.
Instruction fetches are always little-endian.

MBE controls whether non-instruction-fetch memory accesses made from
M-mode (assuming {\tt mstatus}.MPRV=0) are little-endian (MBE=0) or
big-endian (MBE=1).

If S-mode is not supported, SBE is hardwired to~0.
Otherwise, SBE controls whether explicit load and store memory accesses made
from S-mode are little-endian (SBE=0) or big-endian (SBE=1).

If U-mode is not supported, UBE is hardwired to~0.
Otherwise, UBE controls whether explicit load and store memory accesses made
from U-mode are little-endian (UBE=0) or big-endian (UBE=1).

For {\em implicit} accesses to supervisor-level memory management data
structures, such as page tables, endianness is always controlled by SBE.
Since changing SBE alters the implementation's interpretation of these data
structures, if any such data structures remain in use across a change to SBE,
M-mode software must follow such a change to SBE by executing an
SFENCE.VMA instruction with {\em rs1}={\tt x0} and {\em rs2}={\tt x0}.

\begin{commentary}
Only in contrived scenarios will a given memory-management data structure be
interpreted as both little-endian and big-endian.
In practice, SBE will only be changed at runtime on world switches, in which
case neither the old nor new memory-management data structure will be
reinterpreted in a different endianness.
In this case, no additional SFENCE.VMA is necessary, beyond what would
ordinarily be required for a world switch.
\end{commentary}

If S-mode is supported, an implementation may make SBE be a read-only
copy of MBE.
If U-mode is supported, an implementation may make UBE be a read-only
copy of either MBE or SBE.

\begin{commentary}
An implementation supports only little-endian memory accesses if fields
MBE, SBE, and UBE are all hardwired to~0.
An implementation supports only big-endian memory accesses (aside from
instruction fetches) if MBE is hardwired to 1 and SBE and UBE are each
hardwired to 1 when S-mode and U-mode are supported.
\end{commentary}

\begin{commentary}
Volume I defines a hart's address space as a circular sequence of
$2^{\text{XLEN}}$ bytes at consecutive addresses.
The correspondence between addresses and byte locations is fixed and not
affected by any endianness mode.
Rather, the applicable endianness mode determines the order of mapping
between memory bytes and a multibyte quantity (halfword, word, etc.).
\end{commentary}

\begin{commentary}
Standard RISC-V ABIs are expected to be purely little-endian-only or
big-endian-only, with no accommodation for mixing endianness.
Nevertheless, endianness control has been defined so as to permit, for
instance, an OS of one endianness to execute user-mode programs of the
opposite endianness.
Consideration has been given also to the possibility of nonstandard
usages whereby software flips the endianness of memory accesses as
needed.
\end{commentary}

\begin{commentary}
RISC-V instructions are uniformly little-endian to decouple instruction
encoding from the current endianness settings, for the benefit of both
hardware and software.
Otherwise, for instance, a RISC-V assembler or disassembler would always
need to know the intended active endianness, despite that the endianness
mode might change dynamically during execution.
In contrast, by giving instructions a fixed endianness, it is sometimes
possible for carefully written software to be endianness-agnostic even in
binary form, much like position-independent code.

The choice to have instructions be only little-endian does have
consequences, however, for RISC-V software that encodes or decodes
machine instructions.
In big-endian mode, such software must account for the fact that explicit
loads and stores have endianness opposite that of instructions, for
example by swapping byte order after loads and before stores.
\end{commentary}

\subsubsection{Virtualization Support in {\tt mstatus} Register}
\label{virt-control}

The TVM (Trap Virtual Memory) bit is a \warl\ field that supports intercepting
supervisor virtual-memory management operations.  When TVM=1,
attempts to read or write the {\tt satp} CSR or execute the SFENCE.VMA
instruction while executing in S-mode will raise an illegal instruction
exception.  When TVM=0, these operations are permitted in S-mode.
TVM is hard-wired to 0 when S-mode is not supported.

\begin{commentary}
The TVM mechanism improves virtualization efficiency by permitting guest
operating systems to execute in S-mode, rather than classically virtualizing
them in U-mode.  This approach obviates the need to trap accesses to most
S-mode CSRs.

Trapping {\tt satp} accesses and the SFENCE.VMA instruction provides the
hooks necessary to lazily populate shadow page tables.
\end{commentary}

The TW (Timeout Wait) bit is a \warl\ field that supports intercepting the WFI
instruction (see Section~\ref{wfi}).
When TW=0, the WFI instruction may execute in lower
privilege modes when not prevented for some other reason.  When TW=1,
then if WFI is executed in any less-privileged mode, and it does not complete
within an implementation-specific, bounded time limit, the WFI instruction
causes an illegal instruction exception.  The time limit may always be 0, in which
case WFI always causes an illegal instruction exception in less-privileged modes
when TW=1.  TW is hard-wired to 0 when there are no modes less privileged than
M.

\begin{commentary}
Trapping the WFI
instruction can trigger a world switch to another guest OS, rather than
wastefully idling in the current guest.
\end{commentary}

When S-mode is implemented, then executing WFI in U-mode causes an illegal
instruction exception, unless it completes within an implementation-specific,
bounded time limit.  A future revision of this specification might add
a feature that allows S-mode to selectively permit WFI in U-mode.  Such
a feature would only be active when TW=0.

The TSR (Trap SRET) bit is a \warl\ field that
supports intercepting the supervisor exception return
instruction, SRET.  When TSR=1, attempts to execute SRET while executing in
S-mode will raise an illegal instruction exception.  When TSR=0, this
operation is permitted in S-mode.  TSR is hard-wired to 0 when S-mode is not
supported.

\begin{commentary}
Trapping SRET is necessary to emulate the hypervisor extension
(see Chapter~\ref{hypervisor}) on implementations that do not provide it.
\end{commentary}

\subsubsection{Extension Context Status in {\tt mstatus} Register}

Supporting substantial extensions is one of the primary goals of
RISC-V, and hence we define a standard interface to allow unchanged
privileged-mode code, particularly a supervisor-level OS, to support
arbitrary user-mode state extensions.

\begin{commentary}
  To date, the V extension is the only standard extension that defines
  additional state beyond the floating-point CSR and data registers.
\end{commentary}

The FS[1:0] \warl\ field and the XS[1:0] read-only field are used
to reduce the cost of context save and restore by setting and tracking
the current state of the floating-point unit and any other user-mode
extensions respectively.  The FS field encodes the status of the
floating-point unit, including the CSR {\tt fcsr} and floating-point
data registers {\tt f0}--{\tt f31}, while the XS field encodes the
status of additional user-mode extensions and associated state.
These fields can be checked by a context switch routine to quickly
determine whether a state save or restore is required.  If a save or
restore is required, additional instructions and CSRs are typically
required to effect and optimize the process.

\begin{commentary}
  The design anticipates that most context switches will not need to
  save/restore state in either or both of the floating-point unit or
  other extensions, so provides a fast check via the SD bit.
\end{commentary}

The FS and XS fields use the same status encoding as shown in
Table~\ref{fsxsencoding}, with the four possible status values being
Off, Initial, Clean, and Dirty.

\begin{table*}[h!]
\begin{center}
\begin{tabular}{|r|l|l|}
\hline
Status  & FS Meaning & XS Meaning\\
\hline	 
0 & Off     &  All off \\
1 & Initial &  None dirty or clean, some on\\
2 & Clean   &  None dirty, some clean \\
3 & Dirty   &  Some dirty \\
\hline
\end{tabular}
\end{center}
\caption{Encoding of FS[1:0] and XS[1:0] status fields.}
\label{fsxsencoding}
\end{table*}

In systems that do not implement S-mode and do not have a
floating-point unit, the FS field is hardwired to zero.

In systems without additional user extensions requiring new state, the
XS field is hardwired to zero.  Every additional extension with state
provides a CSR field that encodes the equivalent of the XS states.
The XS field represents a summary of all
extensions' status as shown in Table~\ref{fsxsencoding}.

\begin{commentary}
The XS field effectively reports the maximum status value across all
user-extension status fields, though individual extensions can use a
different encoding than XS.
\end{commentary}

The SD bit is a read-only bit that summarizes whether either the FS
field or XS field signals the presence of some dirty state that will
require saving extended user context to memory.  If both XS and FS are
hardwired to zero, then SD is also always zero.

When an extension's status is set to Off, any instruction that
attempts to read or write the corresponding state will cause an illegal instruction
exception.  When the status is Initial, the corresponding state should
have an initial constant value.  When the status is Clean, the
corresponding state is potentially different from the initial value,
but matches the last value stored on a context swap.  When the status
is Dirty, the corresponding state has potentially been modified since
the last context save.

During a context save, the responsible privileged code need only write
out the corresponding state if its status is Dirty, and can then reset
the extension's status to Clean.  During a context restore, the
context need only be loaded from memory if the status is Clean (it
should never be Dirty at restore).  If the status is Initial, the
context must be set to an initial constant value on context restore to
avoid a security hole, but this can be done without accessing memory.
For example, the floating-point registers can all be initialized to
the immediate value 0.

The FS and XS fields are read by the privileged code before saving the
context.  The FS field is set directly by privileged code when
resuming a user context, while the XS field is set indirectly by
writing to the status register of the individual extensions.  The
status fields will also be updated during execution of instructions,
regardless of privilege mode.

Extensions to the user-mode ISA often include additional user-mode
state, and this state can be considerably larger than the base integer
registers.  The extensions might only be used for some applications,
or might only be needed for short phases within a single application.
To improve performance, the user-mode extension can define additional
instructions to allow user-mode software to return the unit to an
initial state or even to turn off the unit.

For example, a coprocessor might require to be configured before use
and can be ``unconfigured'' after use.  The unconfigured state would
be represented as the Initial state for context save.  If the same
application remains running between the unconfigure and the next
configure (which would set status to Dirty), there is no need to
actually reinitialize the state at the unconfigure instruction, as all
state is local to the user process, i.e., the Initial state may only
cause the coprocessor state to be initialized to a constant value at
context restore, not at every unconfigure.

Executing a user-mode instruction to disable a unit and place it into
the Off state will cause an illegal instruction exception to be raised
if any subsequent instruction tries to use the unit before it is
turned back on.  A user-mode instruction to turn a unit on must also
ensure the unit's state is properly initialized, as the unit might
have been used by another context meantime.

Changing the setting of FS has no effect on the contents of the floating-point
register state.  In particular, setting FS=Off does not destroy the state, nor
does setting FS=Initial clear the contents.  Other extensions might not
preserve state when set to Off.

Implementations may choose to track the dirtiness of the floating-point
register state imprecisely by reporting the state to be dirty even when
it has not been modified.  On some implementations, some instructions that
do not mutate the floating-point state may cause the state to transition from
Initial or Clean to Dirty.  On other implementations, dirtiness might not be
tracked at all, in which case the valid FS states are Off and Dirty, and an
attempt to set FS to Initial or Clean causes it to be set to Dirty.
\begin{commentary}
This definition of FS does not disallow setting FS to Dirty as a result of
errant speculation.  Some platforms may choose to disallow speculatively
writing FS to close a potential side channel.
\end{commentary}

If an instruction explicitly or implicitly writes a floating-point register or
the {\tt fcsr} but does not alter its contents, and FS=Initial or FS=Clean, it
is implementation-defined whether FS transitions to Dirty.

Table~\ref{fsxsstates} shows all the possible state transitions for
the FS or XS status bits.  Note that the standard floating-point
extensions do not support user-mode unconfigure or disable/enable
instructions.

\begin{table*}[h!]
\begin{center}
\begin{tabular}{|l|l|l|l|l|}
\hline
\multicolumn{1}{|r|}{Current State} & Off & Initial & Clean & Dirty \\
Action & & & &\\
\hline
\hline
\multicolumn{5}{|c|}{At context save in privileged code}\\
\hline	 
Save state?    & No         & No        & No     & Yes \\
Next state       & Off        & Initial   & Clean  & Clean \\
\hline
\hline
\multicolumn{5}{|c|}{At context restore in privileged code}\\
\hline
Restore state? & No        & Yes, to initial & Yes, from memory   & N/A \\
Next state     & Off       & Initial   & Clean  & N/A \\
\hline
\hline
\multicolumn{5}{|c|}{Execute instruction to read state}\\
\hline
Action?        & Exception & Execute   & Execute & Execute \\
Next state     & Off       & Initial   & Clean  & Dirty \\
\hline
\hline
\multicolumn{5}{|c|}{Execute instruction that possibly modifies state, including configuration}\\
\hline
Action?        & Exception & Execute & Execute & Execute \\
Next state     & Off       & Dirty   & Dirty  & Dirty \\
\hline
\hline
\multicolumn{5}{|c|}{Execute instruction to unconfigure unit}\\
\hline
Action?        & Exception & Execute & Execute & Execute \\
Next state     & Off       & Initial & Initial & Initial \\
\hline
\hline
\multicolumn{5}{|c|}{Execute instruction to disable unit}\\
\hline
Action?        & Execute   & Execute & Execute & Execute \\
Next state     & Off       & Off     & Off     & Off \\
\hline
\hline
\multicolumn{5}{|c|}{Execute instruction to enable unit}\\
\hline
Action?        & Execute   & Execute & Execute & Execute \\
Next state     & Initial   & Initial & Initial & Initial   \\
\hline
\end{tabular}
\end{center}
\caption{FS and XS state transitions.}
\label{fsxsstates}
\end{table*}

Standard privileged instructions to initialize, save, and restore
extension state are provided to insulate privileged code from details
of the added extension state by treating the state as an opaque
object.

\begin{commentary}
Many coprocessor extensions are only used in limited contexts that
allows software to safely unconfigure or even disable units when done.
This reduces the context-switch overhead of large stateful
coprocessors.

We separate out floating-point state from other extension state, as
when a floating-point unit is present the floating-point registers are
part of the standard calling convention, and so user-mode software
cannot know when it is safe to disable the floating-point unit.
\end{commentary}

The XS field provides a summary of all added extension state, but
additional microarchitectural bits might be maintained in the
extension to further reduce context save and restore overhead.

The SD bit is read-only and is set when either the FS or XS bits
encode a Dirty state (i.e., SD=((FS==11) OR (XS==11))).  This allows
privileged code to quickly determine when no additional context save is
required beyond the integer register set and PC.

The floating-point unit state is always initialized, saved, and
restored using standard instructions (F, D, and/or Q), and privileged
code must be aware of FLEN to determine the appropriate space to
reserve for each {\tt f} register.

All privileged modes share a single copy of the FS and XS bits.  In a
system with more than one privileged mode, supervisor mode would
normally use the FS and XS bits directly to record the status with
respect to the supervisor-level saved context.  Other more-privileged
active modes must be more conservative in saving and restoring the
extension state in their corresponding version of the context.

\begin{commentary}
In any reasonable use case, the number of context switches between
user and supervisor level should far outweigh the number of context
switches to other privilege levels.  Note that coprocessors should not
require their context to be saved and restored to service asynchronous
interrupts, unless the interrupt results in a user-level context swap.
\end{commentary}

\subsection{Machine Trap-Vector Base-Address Register ({\tt mtvec})}

The {\tt mtvec} register is an MXLEN-bit \warl\ read/write register that holds
trap vector configuration, consisting of a vector base address (BASE) and a
vector mode (MODE).

\begin{figure*}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{J@{}S}
\instbitrange{MXLEN-1}{2} &
\instbitrange{1}{0} \\
\hline
\multicolumn{1}{|c|}{BASE[MXLEN-1:2] (\warl)} & 
\multicolumn{1}{c|}{MODE (\warl)} \\
\hline
MXLEN-2 & 2 \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Machine trap-vector base-address register ({\tt mtvec}).}
\label{mtvecreg}
\end{figure*}

The {\tt mtvec} register must always be implemented, but can contain
a hardwired read-only value.  If {\tt mtvec} is writable, the set of values
the register may hold can vary by implementation.  The value in the BASE field
must always be aligned on a 4-byte boundary, and the MODE setting may impose
additional alignment constraints on the value in the BASE field.

\begin{commentary}
We allow for considerable flexibility in implementation of the trap
vector base address.  On the one hand, we do not wish to burden low-end
implementations with a large number of state bits, but on the other
hand, we wish to allow flexibility for larger systems.
\end{commentary}

\begin{table*}[h!]
\begin{center}
\begin{tabular}{|r|c|l|}
\hline
Value & Name & Description \\
\hline	 
0      & Direct   & All exceptions set {\tt pc} to BASE. \\
1      & Vectored & Asynchronous interrupts set {\tt pc} to BASE+4$\times$cause. \\
$\ge$2 & --- & {\em Reserved} \\
\hline
\end{tabular}
\end{center}
\caption{Encoding of {\tt mtvec} MODE field.}
\label{mtvec-mode}
\end{table*}

The encoding of the MODE field is shown in Table~\ref{mtvec-mode}.  When
MODE=Direct, all traps into machine mode cause the {\tt pc} to be set to the
address in the BASE field.  When MODE=Vectored, all synchronous exceptions
into machine mode cause the {\tt pc} to be set to the address in the BASE
field, whereas interrupts cause the {\tt pc} to be set to the address in
the BASE field plus four times the interrupt cause number.  For example,
a machine-mode timer interrupt (see Table~\ref{mcauses} on page~\pageref{mcauses}) causes the {\tt pc}
to be set to BASE+{\tt 0x1c}.

\begin{commentary}
When vectored interrupts are enabled, interrupt cause 0, which corresponds to
user-mode software interrupts, are vectored to the same location as
synchronous exceptions.  This ambiguity does not arise in practice, since
user-mode software interrupts are either disabled or delegated to user mode.
\end{commentary}

An implementation may have different alignment constraints for
different modes.  In particular, MODE=Vectored may have stricter
alignment constraints than MODE=Direct.

\begin{commentary}
  Allowing coarser alignments in Vectored mode enables vectoring to be
  implemented without a hardware adder circuit.
\end{commentary}

\begin{commentary}
Reset and NMI vector locations are given in a platform specification.
\end{commentary}

\subsection{Machine Trap Delegation Registers ({\tt medeleg} and {\tt mideleg})}

By default, all traps at any privilege level are handled in machine
mode, though a machine-mode handler can redirect traps back to the
appropriate level with the MRET instruction (Section~\ref{otherpriv}).
To increase performance, implementations can provide individual
read/write bits within {\tt medeleg} and {\tt mideleg} to indicate
that certain exceptions and interrupts should be processed directly by
a lower privilege level.  The machine exception delegation register
({\tt medeleg}) and machine interrupt delegation register ({\tt
  mideleg}) are MXLEN-bit read/write registers.

In systems with S-mode, the {\tt medeleg} and {\tt mideleg} registers
must exist, and setting a bit in
{\tt medeleg} or {\tt mideleg} will delegate the corresponding trap, when
occurring in S-mode or U-mode, to the S-mode trap handler.
In systems without S-mode, the {\tt medeleg} and {\tt mideleg} registers
should not exist (unless the N extension for user-mode interrupts is
implemented).

\begin{commentary}
  In versions 1.9.1 and earlier , these registers existed but were
  hardwired to zero in M-mode only, or M/U without N systems.  There
  is no reason to require they return zero in those cases, as the {\tt
    misa} register indicates whether they exist.
\end{commentary}


When a trap is delegated to S-mode, the
{\tt scause} register is written with the trap cause; the
{\tt sepc} register is written with the virtual address of
the instruction that took the trap; the
{\tt stval} register is written with an
exception-specific datum; the SPP field
of {\tt mstatus} is written with the active privilege mode at the time of
the trap; the SPIE field of {\tt mstatus} is written with the
value of the SIE field at the time of the trap; and
the SIE field of {\tt mstatus} is cleared.
The {\tt mcause}, {\tt mepc}, and {\tt mtval} registers and the MPP and
MPIE fields of {\tt mstatus} are not written.

An
implementation can choose to subset the delegatable traps, with the
supported delegatable bits found by writing one to every bit location,
then reading back the value in {\tt medeleg} or {\tt mideleg} to see
which bit positions hold a one.

An implementation shall not hardwire any bits of {\tt medeleg} to one, i.e.,
any synchronous trap that can be delegated must support not being delegated.
Similarly, an implementation shall not hardwire to one any bits of
{\tt mideleg} corresponding to machine-level interrupts (but may do so
for lower-level interrupts).

\begin{commentary}
Version 1.11 and earlier prohibited hardwiring any bits of {\tt mideleg}
to one.
Platform standards may always add such restrictions.
\end{commentary}

Traps never transition from a more-privileged mode to a less-privileged mode.
For example, if M-mode has delegated illegal instruction exceptions to S-mode, and
M-mode software later executes an illegal instruction, the trap is taken in
M-mode, rather than being delegated to S-mode.  By contrast, traps may be
taken horizontally.  Using the same example, if M-mode has delegated illegal
instruction exceptions to S-mode, and S-mode software later executes an illegal
instruction, the trap is taken in S-mode.

Delegated interrupts result in the interrupt being masked at the delegator
privilege level.  For example, if the supervisor timer interrupt (STI) is
delegated to S-mode by setting {\tt mideleg}[5], STIs will not be taken when
executing in M-mode.  By contrast, if {\tt mideleg}[5] is clear, STIs can
be taken in any mode and regardless of current mode will transfer control to
M-mode.

\begin{figure}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{@{}U}
\instbitrange{MXLEN-1}{0} \\
\hline
\multicolumn{1}{|c|}{Synchronous Exceptions (\warl)} \\
\hline
MXLEN \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Machine Exception Delegation Register {\tt medeleg}.}
\label{medelegreg}
\end{figure}

{\tt medeleg} has a bit position allocated for every synchronous exception
shown in Table~\ref{mcauses} on page~\pageref{mcauses}, with the index of the bit position equal to the
value returned in the {\tt mcause} register (i.e., setting bit 8 allows
user-mode environment calls to be delegated to a lower-privilege trap
handler).

\begin{figure}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{@{}U}
\instbitrange{MXLEN-1}{0} \\
\hline
\multicolumn{1}{|c|}{Interrupts (\warl)} \\
\hline
MXLEN \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Machine Interrupt Delegation Register {\tt mideleg}.}
\label{midelegreg}
\end{figure}

{\tt mideleg} holds trap delegation bits for individual interrupts, with the
layout of bits matching those in the {\tt mip} register (i.e., STIP interrupt
delegation control is located in bit 5).

For exceptions that cannot occur in less privileged modes, the corresponding
{\tt medeleg} bits should be hardwired to zero.  In particular,
{\tt medeleg}[11] is hardwired to zero.

\subsection{Machine Interrupt Registers ({\tt mip} and {\tt mie})}

The {\tt mip} register is an MXLEN-bit read/write register containing
information on pending interrupts, while {\tt mie} is the
corresponding MXLEN-bit read/write register containing interrupt enable
bits.
Interrupt cause number \textit{i} (as reported in CSR {\tt mcause},
Section~\ref{sec:mcause}) corresponds with bit~\textit{i} in both
{\tt mip} and {\tt mie}.
Bits 15:0 are allocated to standard interrupt causes only, while bits 16
and above are designated for platform or custom use.

\begin{figure}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{@{}U}
\instbitrange{MXLEN-1}{0} \\
\hline
\multicolumn{1}{|c|}{Interrupts (\warl)} \\
\hline
MXLEN \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Machine Interrupt-Pending Register ({\tt mip}).}
\label{mipreg}
\end{figure}

\begin{figure}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{@{}U}
\instbitrange{MXLEN-1}{0} \\
\hline
\multicolumn{1}{|c|}{Interrupts (\warl)} \\
\hline
MXLEN \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Machine Interrupt-Enable Register ({\tt mie}).}
\label{miereg}
\end{figure}

An interrupt \textit{i} will be taken if bit \textit{i} is set in both
{\tt mip} and {\tt mie}, and if interrupts are globally enabled.  By
default, M-mode interrupts are globally enabled if the hart's current
privilege mode is less than M, or if the current privilege mode is M
and the MIE bit in the {\tt mstatus} register is set.  If bit \textit{i}
in {\tt mideleg} is set, however, interrupts are considered to be
globally enabled if the hart's current privilege mode equals the
delegated privilege mode and that mode's interrupt enable
bit (\textit{x}\/IE in {\tt mstatus} for mode~\textit{x}) is set,
or if the current
privilege mode is less than the delegated privilege mode.

Each individual bit in register {\tt mip} may be writable or may be
read-only.
When bit~\textit{i} in {\tt mip} is writable, a pending interrupt
\textit{i} can be cleared by writing 0 to this bit.
If interrupt \textit{i} can become pending but bit~\textit{i} in
{\tt mip} is read-only, the implementation must provide some other
mechanism for clearing the pending interrupt.

A bit in {\tt mie} must be writable if the corresponding interrupt can
ever become pending.
Bits of {\tt mie} that are not writable must be hardwired to zero.

The standard portions (bits 15:0) of registers {\tt mip} and {\tt mie}
are formatted as shown in Figures \ref{mipreg-standard} and
\ref{miereg-standard} respectively.

\begin{figure*}[h!]
{\footnotesize
\begin{center}
\setlength{\tabcolsep}{4pt}
\begin{tabular}{Rcccccccccccc}
\instbitrange{15}{12} &
\instbit{11} &
\instbit{10} &
\instbit{9} &
\instbit{8} &
\instbit{7} &
\instbit{6} &
\instbit{5} &
\instbit{4} &
\instbit{3} &
\instbit{2} &
\instbit{1} &
\instbit{0} \\
\hline
\multicolumn{1}{|c|}{0} &
\multicolumn{1}{c|}{MEIP} &
\multicolumn{1}{c|}{0} &
\multicolumn{1}{c|}{SEIP} &
\multicolumn{1}{c|}{0} &
\multicolumn{1}{c|}{MTIP} &
\multicolumn{1}{c|}{0} &
\multicolumn{1}{c|}{STIP} &
\multicolumn{1}{c|}{0} &
\multicolumn{1}{c|}{MSIP} &
\multicolumn{1}{c|}{0} &
\multicolumn{1}{c|}{SSIP} &
\multicolumn{1}{c|}{0} \\
\hline
4 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Standard portion (bits 15:0) of {\tt mip}.}
\label{mipreg-standard}
\end{figure*}

\begin{figure*}[h!]
{\footnotesize
\begin{center}
\setlength{\tabcolsep}{4pt}
\begin{tabular}{Rcccccccccccc}
\instbitrange{15}{12} &
\instbit{11} &
\instbit{10} &
\instbit{9} &
\instbit{8} &
\instbit{7} &
\instbit{6} &
\instbit{5} &
\instbit{4} &
\instbit{3} &
\instbit{2} &
\instbit{1} &
\instbit{0} \\
\hline
\multicolumn{1}{|c|}{0} &
\multicolumn{1}{c|}{MEIE} &
\multicolumn{1}{c|}{0} &
\multicolumn{1}{c|}{SEIE} &
\multicolumn{1}{c|}{0} &
\multicolumn{1}{c|}{MTIE} &
\multicolumn{1}{c|}{0} &
\multicolumn{1}{c|}{STIE} &
\multicolumn{1}{c|}{0} &
\multicolumn{1}{c|}{MSIE} &
\multicolumn{1}{c|}{0} &
\multicolumn{1}{c|}{SSIE} &
\multicolumn{1}{c|}{0} \\
\hline
4 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 & 1 \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Standard portion (bits 15:0) of {\tt mie}.}
\label{miereg-standard}
\end{figure*}

\begin{commentary}
  The machine-level interrupt registers handle a few root interrupt
  sources which are assigned a fixed service priority for simplicity,
  while separate external interrupt controllers can implement a more
  complex prioritization scheme over a much larger set of interrupts
  that are then muxed into the machine-level interrupt sources.
\end{commentary}

\begin{commentary}
The non-maskable interrupt is not made visible via the {\tt mip}
register as its presence is implicitly known when executing the NMI
trap handler.
\end{commentary}

Bits {\tt mip}.MEIP and {\tt mie}.MEIE are the interrupt-pending and
interrupt-enable bits for machine-level external interrupts.
MEIP is read-only in {\tt mip}, and is set and cleared by a
platform-specific interrupt controller.

Bits {\tt mip}.MTIP and {\tt mie}.MTIE are the interrupt-pending and
interrupt-enable bits for machine timer interrupts.
MTIP is read-only in {\tt mip}, and is cleared by writing to the memory-mapped
machine-mode timer compare register.

Bits {\tt mip}.MSIP and {\tt mie}.MSIE are the interrupt-pending and
interrupt-enable bits for machine-level software interrupts.
MSIP is read-only in {\tt mip}, and is written by accesses
to memory-mapped control registers, which are used by remote harts to
provide machine-level interprocessor interrupts.
A hart can write its
own MSIP bit using the same memory-mapped control register.

If supervisor mode is not implemented, bits SEIP, STIP, and SSIP of
{\tt mip} and SEIE, STIE, and SSIE of {\tt mie} are hardwired to zeros.

If supervisor mode is implemented, bits {\tt mip}.SEIP and {\tt mie}.SEIE
are the interrupt-pending and interrupt-enable bits for supervisor-level
external interrupts.
SEIP is writable in {\tt mip}, and
may be written by M-mode software to indicate to S-mode that an
external interrupt is pending.  Additionally, the platform-level
interrupt controller may generate supervisor-level external interrupts.
Supervisor-level external interrupts are made pending based on the
logical-OR of the software-writable SEIP bit and the signal from the
external interrupt controller.
When {\tt mip} is read with a CSR instruction,
the value of the SEIP bit returned in the {\tt rd} destination
register is the logical-OR of the software-writable bit and the
interrupt signal from the interrupt controller, but the signal from the
interrupt controller is not used to calculate the value written to SEIP.
Only the software-writable SEIP bit participates in the
read-modify-write sequence of a CSRRS or CSRRC instruction.

\begin{commentary}
  The SEIP field behavior is designed to allow a higher privilege
  layer to mimic external interrupts cleanly, without losing any real
  external interrupts.  The behavior of the CSR instructions is
  slightly modified from regular CSR accesses as a result.
\end{commentary}

If supervisor mode is implemented, bits {\tt mip}.STIP and {\tt mie}.STIE
are the interrupt-pending and interrupt-enable bits for supervisor-level
timer interrupts.
STIP is writable in {\tt mip}, and may be
written by M-mode software to deliver timer interrupts to S-mode.

If supervisor mode is implemented, bits {\tt mip}.SSIP and {\tt mie}.SSIE
are the interrupt-pending and interrupt-enable bits for supervisor-level
software interrupts.
SSIP is writable in {\tt mip}.

\begin{commentary}
Interprocessor
interrupts at supervisor level are implemented through
implementation-specific mechanisms, e.g., via calls to an SEE,
which might ultimately result in
a machine-mode write to the receiving hart's MSIP bit.

We allow a hart to directly write only its own SSIP bit, not those of other
harts, as other harts might be
virtualized and possibly descheduled by higher privilege levels.  We
rely on calls to the SEE to provide interprocessor interrupts
for this reason.  Machine-mode harts are not virtualized and can
directly interrupt other harts by setting their MSIP bits, typically
using uncached I/O writes to memory-mapped control registers depending
on the platform specification.
\end{commentary}

Multiple simultaneous interrupts destined for different privilege modes are
handled in decreasing order of destined privilege mode.  Multiple simultaneous
interrupts destined for the same privilege mode are handled in the following
decreasing priority order: MEI, MSI, MTI, SEI, SSI, STI.
Synchronous exceptions are of lower priority than all interrupts.

\begin{commentary}
  The machine-level interrupt fixed-priority ordering rules were developed
  with the following rationale.
  
  Interrupts for higher privilege modes must be serviced before
  interrupts for lower privilege modes to support preemption.

  The platform-specific machine-level interrupt sources in bits 16 and above
  have platform-specific priority, but are typically chosen to have the
  highest service priority to support very fast local vectored interrupts.

  External interrupts are handled before internal (timer/software)
  interrupts as external interrupts are usually generated by devices
  that might require low interrupt service times.

  Software interrupts are handled before internal timer interrupts,
  because internal timer interrupts are usually intended for time
  slicing, where time precision is less important, whereas software
  interrupts are used for inter-processor messaging.  Software
  interrupts can be avoided when high-precision timing is required, or
  high-precision timer interrupts can be routed via a different
  interrupt path.
  Software interrupts are located in the lowest four bits of {\tt mip}
  as these are often written by software, and this position allows the
  use of a single CSR instruction with a five-bit immediate.

  Synchronous exceptions are given the lowest priority to minimize
  worst-case interrupt latency.
\end{commentary}

Restricted views of the {\tt mip} and {\tt mie} registers appear as
the {\tt sip} and {\tt sie} registers for supervisor level.
If an interrupt is delegated to
S-mode by setting a bit in the {\tt mideleg} register,
it becomes visible in the {\tt sip} register and is maskable
using the {\tt sie} register.  Otherwise, the corresponding
bits in {\tt sip} and {\tt sie} appear to be hardwired
to zero.

\subsection{Hardware Performance Monitor}

M-mode includes a basic hardware performance-monitoring facility.  The
{\tt mcycle} CSR counts the number of clock cycles executed by the
processor core on which the hart is running.
The {\tt minstret} CSR counts the number of instructions the hart has
retired.  The {\tt mcycle} and {\tt minstret} registers have 64-bit
precision on all RV32 and RV64 systems.

The counter registers have an arbitrary value after the hart is reset, and
can be written with a given value. Any CSR write takes effect after
the writing instruction has otherwise completed.
The {\tt mcycle} CSR may be shared between harts on the same core, in which
case writes to {\tt mcycle} will be visible to those harts.
The platform should provide a mechanism to indicate which harts share an {\tt
mcycle} CSR.

The hardware performance monitor includes 29 additional 64-bit event counters, {\tt
mhpmcounter3}--{\tt mhpmcounter31}.  The event selector CSRs, {\tt
mhpmevent3}--{\tt mhpmevent31}, are MXLEN-bit \warl\ registers that control which event
causes the corresponding counter to increment.  The meaning of these events is
defined by the platform, but event 0 is defined to mean ``no event.''
All counters should be implemented, but a legal implementation is to hard-wire
both the counter and its corresponding event selector to 0.

\begin{figure}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{@{}K@{}W@{}K}
\instbitrange{63}{0} \\ \cline{1-1}
\multicolumn{1}{|c|}{\tt mcycle} \\ \cline{1-1}
\multicolumn{1}{|c|}{\tt minstret} \\ \cline{1-1}
 & & \instbitrange{MXLEN-1}{0} \\ \cline{1-1}\cline{3-3}
\multicolumn{1}{|c|}{\tt mhpmcounter3} & & \multicolumn{1}{|c|}{\tt mhpmevent3} \\ \cline{1-1}\cline{3-3}
\multicolumn{1}{|c|}{\tt mhpmcounter4} & & \multicolumn{1}{|c|}{\tt mhpmevent4} \\ \cline{1-1}\cline{3-3}
\multicolumn{1}{c}{\vdots} & & \multicolumn{1}{c}{\vdots} \\ \cline{1-1}\cline{3-3}
\multicolumn{1}{|c|}{\tt mhpmcounter30} & & \multicolumn{1}{|c|}{\tt mhpmevent30} \\ \cline{1-1}\cline{3-3}
\multicolumn{1}{|c|}{\tt mhpmcounter31} & & \multicolumn{1}{|c|}{\tt mhpmevent31} \\ \cline{1-1}\cline{3-3}
64 & & MXLEN \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Hardware performance monitor counters.}
\end{figure}

The {\tt mhpmcounter}s are \warl\ registers that support up to 64 bits of
precision on RV32 and RV64.

\begin{commentary}
A future revision of this specification will define a mechanism to generate an
interrupt when a hardware performance monitor counter overflows.
\end{commentary}

On RV32 only, reads of the {\tt mcycle}, {\tt minstret}, and {\tt
mhpmcounter{\em n}} CSRs return the low 32 bits, while reads of the {\tt
mcycleh}, {\tt minstreth}, and {\tt mhpmcounter{\em n}h} CSRs return bits
63--32 of the corresponding counter.

\begin{figure}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{@{}K}
\instbitrange{31}{0} \\ \hline
\multicolumn{1}{|c|}{\tt mcycleh} \\ \hline
\multicolumn{1}{|c|}{\tt minstreth} \\ \hline
\multicolumn{1}{|c|}{\tt mhpmcounter3h} \\ \hline
\multicolumn{1}{|c|}{\tt mhpmcounter4h} \\ \hline
\multicolumn{1}{c}{\vdots}  \\ \hline
\multicolumn{1}{|c|}{\tt mhpmcounter30h} \\ \hline
\multicolumn{1}{|c|}{\tt mhpmcounter31h} \\ \hline
32 \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Upper 32 bits of hardware performance monitor counters, RV32 only.}
\end{figure}

%On RV128 systems, the 64-bit values in {\tt mcycle}, {\tt minstret}, and
%{\tt mhpmcounter{\em n}} are sign-extended to 128-bits when read.
%\begin{commentary}
%On RV128 systems, both signed and unsigned 64-bit values are held in a
%canonical form with bit 63 repeated in all higher bit positions.  The
%counters are 64-bit values even in RV128, and so the counter CSR reads
%preserve the sign-extension invariant.  Implementations may choose to
%implement fewer bits of the counters, provided software would be unlikely
%to experience wraparound (e.g., $2^{63}$ instructions executed)
%and thereby avoid having to actually implement the sign-extension
%circuitry.
%\end{commentary}

\subsection{Machine Counter-Enable Register ({\tt mcounteren})}
\label{sec:mcounteren}

The counter-enable register {\tt mcounteren} is a 32-bit register that
controls the availability of the hardware performance-monitoring counters to
the next-lowest privileged mode.

\begin{figure*}[h!]
{\footnotesize
\begin{center}
\setlength{\tabcolsep}{4pt}
\begin{tabular}{cccMcccccc}
\instbit{31} &
\instbit{30} &
\instbit{29} &
\instbitrange{28}{6} &
\instbit{5} &
\instbit{4} &
\instbit{3} &
\instbit{2} &
\instbit{1} &
\instbit{0} \\
\hline
\multicolumn{1}{|c|}{HPM31} &
\multicolumn{1}{c|}{HPM30} &
\multicolumn{1}{c|}{HPM29} &
\multicolumn{1}{c|}{...} &
\multicolumn{1}{c|}{HPM5} &
\multicolumn{1}{c|}{HPM4} &
\multicolumn{1}{c|}{HPM3} &
\multicolumn{1}{c|}{IR} &
\multicolumn{1}{c|}{TM} &
\multicolumn{1}{c|}{CY} \\
\hline
1 & 1 & 1 & 23 & 1 & 1 & 1 & 1 & 1 & 1 \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Counter-enable register ({\tt mcounteren}).}
\label{mcounteren}
\end{figure*}

The settings in this register only control accessibility.  The act
of reading or writing this register does not affect the underlying
counters, which continue to increment even when not accessible.

When the CY, TM, IR, or HPM{\em n} bit in the {\tt mcounteren}
register is clear, attempts to read the {\tt cycle}, {\tt time}, {\tt
  instret}, or {\tt hpmcounter{\em n}} register while executing in
S-mode or U-mode will cause an illegal instruction exception.  When
one of these bits is set, access to the corresponding register is
permitted in the next implemented privilege mode (S-mode if
implemented, otherwise U-mode).

\begin{commentary}
The counter-enable bits support two common use cases with minimal hardware.
For systems that do not need high-performance timers and counters,
machine-mode software can trap accesses and implement all features in
software.  For systems that need high-performance timers and counters
but are not concerned with obfuscating the underlying hardware
counters, the counters can be directly exposed to lower privilege modes.
\end{commentary}

The {\tt cycle}, {\tt instret}, and {\tt hpmcounter{\em n}} CSRs are
read-only shadows of {\tt mcycle}, {\tt minstret}, and {\tt mhpmcounter{\em
n}}, respectively.  The {\tt time} CSR is a read-only shadow of the
memory-mapped {\tt mtime} register.  Analogously, on RV32I the {\tt cycleh},
{\tt instreth} and {\tt hpmcounter{\em n}} CSRs are read-only shadows of
{\tt mcycleh}, {\tt minstreth} and {\tt mhpmcounter{\em n}h}, respectively.
On RV32I the {\tt timeh} CSR is a read-only shadow of the upper 32 bits of
the memory-mapped {\tt mtime} register, while {\tt time} shadows only the
lower 32 bits of {\tt mtime}.
\begin{commentary}
Implementations can convert reads of the {\tt time} and {\tt timeh} CSRs
into loads to the memory-mapped {\tt mtime} register, or emulate this
functionality in M-mode software.
\end{commentary}

In systems with U-mode, the {\tt mcounteren} must be implemented, but all
fields are \warl\ and may be hardwired to zero,
indicating reads to the corresponding counter will
cause an illegal instruction exception when executing in a less-privileged mode.
In systems without U-mode, the {\tt mcounteren} register should not exist.

\subsection{Machine Counter-Inhibit CSR ({\tt mcountinhibit})}

\begin{figure*}[h!]
{\footnotesize
\begin{center}
\setlength{\tabcolsep}{4pt}
\begin{tabular}{cccMcccccc}
\instbit{31} &
\instbit{30} &
\instbit{29} &
\instbitrange{28}{6} &
\instbit{5} &
\instbit{4} &
\instbit{3} &
\instbit{2} &
\instbit{1} &
\instbit{0} \\
\hline
\multicolumn{1}{|c|}{HPM31} &
\multicolumn{1}{c|}{HPM30} &
\multicolumn{1}{c|}{HPM29} &
\multicolumn{1}{c|}{...} &
\multicolumn{1}{c|}{HPM5} &
\multicolumn{1}{c|}{HPM4} &
\multicolumn{1}{c|}{HPM3} &
\multicolumn{1}{c|}{IR} &
\multicolumn{1}{c|}{0} &
\multicolumn{1}{c|}{CY} \\
\hline
1 & 1 & 1 & 23 & 1 & 1 & 1 & 1 & 1 & 1 \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Counter-inhibit register {\tt mcountinhibit}.}
\label{mcountinhibit}
\end{figure*}

The counter-inhibit register {\tt mcountinhibit} is a 32-bit \warl\ register
that controls which of the hardware performance-monitoring counters increment.
The settings in this register only control whether the counters increment;
their accessibility is not affected by the setting of this register.

When the CY, IR, or HPM{\em n} bit in the {\tt mcountinhibit} register is
clear, the {\tt cycle}, {\tt instret}, or {\tt hpmcounter{\em n}} register
increments as usual.  When the CY, IR, or HPM{\em n} bit is set, the
corresponding counter does not increment.

The {\tt mcycle} CSR may be shared between harts on the same core, in which
case the {\tt mcountinhibit}.CY field is also shared between those harts,
and so writes to {\tt mcountinhibit}.CY will be visible to those harts.

If the {\tt mcountinhibit} register is not implemented, the implementation
behaves as though the register were set to zero.

\begin{commentary}
When the {\tt cycle} and {\tt instret} counters are not needed, it is
desirable to conditionally inhibit them to reduce energy consumption.
Providing a single CSR to inhibit all counters also allows the counters to be
atomically sampled.

Because the {\tt time} counter can be shared between multiple cores, it
cannot be inhibited with the {\tt mcountinhibit} mechanism.
\end{commentary}

\subsection{Machine Scratch Register ({\tt mscratch})}

The {\tt mscratch} register is an MXLEN-bit read/write register
dedicated for use by machine mode.  Typically, it is used to hold a
pointer to a machine-mode hart-local context space and swapped with a
user register upon entry to an M-mode trap handler.

\begin{figure}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{@{}J}
\instbitrange{MXLEN-1}{0} \\
\hline
\multicolumn{1}{|c|}{\tt mscratch} \\
\hline
MXLEN \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Machine-mode scratch register.}
\label{mscratchreg}
\end{figure}

\begin{commentary}
The MIPS ISA allocated two user registers ({\tt k0}/{\tt k1}) for use
by the operating system.  Although the MIPS scheme provides a fast and
simple implementation, it also reduces available user registers,  and
does not scale to further privilege levels, or nested traps.  It can
also require both registers are cleared before returning to user level
to avoid a potential security hole and to provide deterministic
debugging behavior.

The RISC-V user ISA was designed to support many possible privileged
system environments and so we did not want to infect the user-level
ISA with any OS-dependent features.  The RISC-V CSR swap instructions
can quickly save/restore values to the {\tt mscratch} register.
Unlike the MIPS design, the OS can rely on holding a value in the {\tt
  mscratch} register while the user context is running.
\end{commentary}

\subsection{Machine Exception Program Counter ({\tt mepc})}

{\tt mepc} is an MXLEN-bit read/write register formatted as shown in
Figure~\ref{mepcreg}.  The low bit of {\tt mepc} ({\tt mepc[0]}) is
always zero.  On implementations that support only IALIGN=32, the two low bits
({\tt mepc[1:0]}) are always zero.

If an implementation allows IALIGN to be either 16 or 32 (by
changing CSR {\tt misa}, for example), then, whenever IALIGN=32, bit
{\tt mepc[1]} is masked on reads so that it appears to be 0.  This
masking occurs also for the implicit read by the MRET instruction.
Though masked, {\tt mepc[1]} remains writable when IALIGN=32.

{\tt mepc} is a \warl\ register that must be able to hold all valid
virtual addresses.  It need not be capable of holding all possible invalid
addresses.  Implementations may convert some invalid address patterns into
other invalid addresses prior to writing them to {\tt mepc}.

\begin{commentary}
When address translation is not in effect, virtual addresses and physical
addresses are equal.
Hence, the set of addresses {\tt mepc} must be able to represent includes the
set of physical addresses that can be used as a valid {\tt pc} or effective
address.
\end{commentary}

When a trap is taken into M-mode, {\tt mepc} is written with the
virtual address of the instruction that was interrupted or that
encountered the exception.  Otherwise, {\tt mepc} is never written by
the implementation, though it may be explicitly written by software.

\begin{figure}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{@{}J}
\instbitrange{MXLEN-1}{0} \\
\hline
\multicolumn{1}{|c|}{\tt mepc} \\
\hline
MXLEN \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Machine exception program counter register.}
\label{mepcreg}
\end{figure}

\subsection{Machine Cause Register ({\tt mcause})}
\label{sec:mcause}

The {\tt mcause} register is an MXLEN-bit read-write register formatted as
shown in Figure~\ref{mcausereg}.  When a trap is taken into M-mode, {\tt
mcause} is written with a code indicating the event that caused the trap.
Otherwise, {\tt mcause} is never written by the implementation, though it may be
explicitly written by software.

The Interrupt bit in the {\tt mcause} register is set if the
trap was caused by an interrupt. The Exception Code field
 contains a code identifying the last exception or interrupt.  Table~\ref{mcauses}
lists the possible machine-level exception codes.  The Exception Code
is a \wlrl\ field, so is only guaranteed to hold supported exception
codes.


\begin{figure*}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{c@{}U}
\instbit{MXLEN-1} &
\instbitrange{MXLEN-2}{0} \\
\hline
\multicolumn{1}{|c|}{Interrupt} &
\multicolumn{1}{c|}{Exception Code (\wlrl)} \\
\hline
1 & MXLEN-1 \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Machine Cause register {\tt mcause}.}
\label{mcausereg}
\end{figure*}

\begin{table*}[htbp]
\begin{center}
\begin{tabular}{|r|r|l|l|}

  \hline
  Interrupt & Exception Code  & Description \\
  \hline	 
  1         & 0               & {\em Reserved} \\
  1         & 1               & Supervisor software interrupt \\
  1         & 2               & {\em Reserved} \\
  1         & 3               & Machine software interrupt \\ \hline
  1         & 4               & {\em Reserved} \\
  1         & 5               & Supervisor timer interrupt \\
  1         & 6               & {\em Reserved} \\
  1         & 7               & Machine timer interrupt \\ \hline
  1         & 8               & {\em Reserved} \\
  1         & 9               & Supervisor external interrupt \\
  1         & 10              & {\em Reserved} \\
  1         & 11              & Machine external interrupt \\ \hline
  1         & 12--15          & {\em Reserved} \\
  1         & $\ge$16         & {\em Designated for platform use} \\ \hline
  0         & 0               & Instruction address misaligned \\
  0         & 1               & Instruction access fault \\
  0         & 2               & Illegal instruction \\   
  0         & 3               & Breakpoint \\
  0         & 4               & Load address misaligned \\
  0         & 5               & Load access fault \\
  0         & 6               & Store/AMO address misaligned \\
  0         & 7               & Store/AMO access fault \\
  0         & 8               & Environment call from U-mode\\
  0         & 9               & Environment call from S-mode \\
  0         & 10              & {\em Reserved} \\
  0         & 11              & Environment call from M-mode \\
  0         & 12              & Instruction page fault \\
  0         & 13              & Load page fault \\
  0         & 14              & {\em Reserved} \\
  0         & 15              & Store/AMO page fault \\
  0         & 16--23          & {\em Reserved} \\
  0         & 24--31          & {\em Designated for custom use} \\
  0         & 32--47          & {\em Reserved} \\
  0         & 48--63          & {\em Designated for custom use} \\
  0         & $\ge$64         & {\em Reserved} \\
  \hline

\end{tabular}
\end{center}
\caption{Machine cause register ({\tt mcause}) values after trap.}
\label{mcauses}
\end{table*}

Note that load and load-reserved instructions generate load exceptions,
whereas store, store-conditional, and AMO instructions generate store/AMO
exceptions.

\begin{commentary}
Interrupts can be separated from other traps with a single branch on the sign of
the {\tt mcause} register value.  A shift left can remove the
interrupt bit and scale the exception codes to index into a trap
vector table.
\end{commentary}

\begin{commentary}
We do not distinguish privileged instruction exceptions from illegal
opcode exceptions.  This simplifies the architecture and also hides
details of which higher-privilege instructions are supported by an
implementation.  The privilege level servicing the trap can implement
a policy on whether these need to be distinguished, and if so, whether
a given opcode should be treated as illegal or privileged.
\end{commentary}

If an instruction raises multiple synchronous exceptions, the
decreasing priority order of Table~\ref{exception-priority}
indicates which exception is taken and reported in {\tt mcause}.
The priority of any custom synchronous exceptions is implementation-defined.

\begin{table*}[htbp]
\begin{center}
\begin{tabular}{|l|r|l|}

  \hline
  Priority      & Exception Code & Description \\
  \hline
  {\em Highest} &          3 & Instruction address breakpoint \\ \hline
                &         12 & Instruction page fault \\ \hline
                &          1 & Instruction access fault \\ \hline
                &          2 & Illegal instruction \\
                &          0 & Instruction address misaligned \\
                &   8, 9, 11 & Environment call \\
                &          3 & Environment break \\
                &          3 & Load/Store/AMO address breakpoint \\ \hline
  {\em Optionally, these may have}
                &          6 & Store/AMO address misaligned \\
  {\em lowest priority instead.}
                &          4 & Load address misaligned \\ \hline
                &         15 & Store/AMO page fault \\
                &         13 & Load page fault \\ \hline
                &          7 & Store/AMO access fault \\
                &          5 & Load access fault \\
  \hline

\end{tabular}
\end{center}
\caption{Synchronous exception priority in decreasing priority order.}
\label{exception-priority}
\end{table*}

Note that load/store/AMO address-misaligned exceptions may have
either higher or lower priority than load/store/AMO page-fault and
access-fault exceptions.
\begin{commentary}
The relative priority of load/store/AMO address-misaligned and page-fault
exceptions is implementation-defined to flexibly cater to two design points.
Implementations that never support misaligned accesses can unconditionally
raise the misaligned-address exception without performing address translation
or protection checks.
Implementations that support misaligned accesses only to some physical
addresses must translate and check the address before determining whether the
misaligned access may proceed, in which case raising the page-fault exception
or access is more appropriate.
\end{commentary}

\begin{commentary}
Instruction address breakpoints have the same cause value as, but
different priority than, data address breakpoints (a.k.a. watchpoints)
and environment break exceptions (which are raised by the EBREAK instruction).
\end{commentary}

\begin{commentary}
Instruction address misaligned exceptions are raised by control-flow
instructions with misaligned targets, rather than by the act of fetching an
instruction.  Therefore, these exceptions have lower priority than other
instruction address exceptions.
\end{commentary}

\FloatBarrier
\subsection{Machine Trap Value Register ({\tt mtval})}

The {\tt mtval} register is an MXLEN-bit read-write register formatted as shown
in Figure~\ref{mtvalreg}.  When a trap is taken into M-mode, {\tt mtval} is
either set to zero or written with exception-specific information to assist
software in handling the trap.  Otherwise, {\tt mtval} is never written by the
implementation, though it may be explicitly written by software.  The hardware
platform will specify which exceptions must set {\tt mtval} informatively and
which may unconditionally set it to zero.

When a breakpoint,
address-misaligned, access-fault, or page-fault exception occurs
on an instruction fetch, load, or store, {\tt
  mtval} is written with the faulting virtual address.  On an illegal
instruction trap, {\tt mtval} may be written with the first XLEN or ILEN
bits of the faulting instruction as described below.  For other traps,
{\tt mtval} is set to zero, but a future standard may redefine {\tt
  mtval}'s setting for other traps.

\begin{commentary}
  The {\tt mtval} register replaces the {\tt mbadaddr} register in
  the previous specification.  In addition to providing bad addresses,
  the register can now provide the bad instruction that triggered an
  illegal instruction trap (and may in future be used to return other
  information).  Returning the instruction bits accelerates instruction emulation and also
  removes some races that might be present when trying to emulate
  illegal instructions.
\end{commentary}
\begin{commentary}
  When page-based virtual memory is enabled, {\tt mtval} is written with
  the faulting virtual address, even for physical-memory access-fault exceptions.
  This design reduces datapath cost for most implementations, particularly
  those with hardware page-table walkers.
\end{commentary}

\begin{figure}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{@{}J}
\instbitrange{MXLEN-1}{0} \\
\hline
\multicolumn{1}{|c|}{\tt mtval} \\
\hline
MXLEN \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{Machine Trap Value register.}
\label{mtvalreg}
\end{figure}

For misaligned loads and stores that cause access-fault or page-fault exceptions,
{\tt mtval} will contain the virtual address of the portion of the access that
caused the fault.  For instruction access-fault or page-fault exceptions on
systems with variable-length instructions, {\tt mtval} will contain the
virtual address of the portion of the instruction that caused the fault while
{\tt mepc} will point to the beginning of the instruction.

The {\tt mtval} register can optionally also be used to return the
faulting instruction bits on an illegal instruction exception ({\tt
  mepc} points to the faulting instruction in memory).

If this feature is not provided, then {\tt mtval} is set to zero on
an illegal instruction fault.

If this feature is provided, after an illegal instruction trap, {\tt mtval}
will contain the shortest of:
\begin{compactitem}
\item the actual faulting instruction
\item the first ILEN bits of the faulting instruction
\item the first XLEN bits of the faulting instruction
\end{compactitem}
The value loaded into {\tt mtval} is right-justified and all unused upper
bits are cleared to zero.

\begin{commentary}
  Capturing the faulting instruction in {\tt mtval} reduces the
  overhead of instruction emulation, potentially avoiding several
  partial instruction loads if the instruction is misaligned, and
  likely data cache misses or slow uncached accesses when loads are
  used to fetch the instruction into a data register.  There is also a
  problem of atomicity if another agent is manipulating the
  instruction memory, as might occur in a dynamic translation system.

  A requirement is that the entire instruction (or at least the first
  XLEN bits) are fetched into {\tt mtval} before taking the trap.
  This should not constrain implementations, which would typically
  fetch the entire instruction before attempting to decode the
  instruction, and avoids complicating software handlers.

  A value of zero in {\tt mtval} signifies either that the feature is
  not supported, or an illegal zero instruction was fetched.  A load
  from the instruction memory pointed to by {\tt mepc} can be used to
  distinguish these two cases (or alternatively, the system
  configuration information can be interrogated to install the
  appropriate trap handling before runtime).
\end{commentary}

If the hardware platform specifies that no exceptions set {\tt mtval} to a
nonzero value, then it may be hardwired to zero.  Otherwise,
{\tt mtval} is a \warl\ register that must be able to hold all valid
virtual addresses and the value 0.  It need not be capable of holding all
possible invalid addresses.  Implementations may convert some invalid address
patterns into other invalid addresses prior to writing them to {\tt mtval}.
If the feature to return the faulting instruction bits is implemented, {\tt
mtval} must also be able to hold all values less than $2^N$, where $N$ is the
smaller of XLEN and ILEN.

\section{Machine-Level Memory-Mapped Registers}

\subsection{Machine Timer Registers ({\tt mtime} and {\tt mtimecmp})}

Platforms provide a real-time counter, exposed as a memory-mapped
machine-mode read-write register, {\tt mtime}.  {\tt mtime} must
increment at constant frequency, and the platform must provide a
mechanism for determining the timebase of {\tt mtime}.  The {\tt
	mtime} register will wrap around if the count overflows.

The {\tt mtime} register has a 64-bit precision on all RV32 and RV64
systems.  Platforms provide a 64-bit memory-mapped machine-mode
timer compare register ({\tt mtimecmp}).
A machine timer interrupt becomes pending whenever {\tt mtime} contains
a value greater than or equal to {\tt mtimecmp}, treating the values
as unsigned integers.
The interrupt remains posted until {\tt mtimecmp} becomes greater than
{\tt mtime} (typically as a result of writing {\tt mtimecmp}).
The interrupt will only be taken if interrupts
are enabled and the MTIE bit is set in the {\tt mie} register.

\begin{figure}[h!]
	{\footnotesize
		\begin{center}
			\begin{tabular}{@{}J}
				\instbitrange{63}{0} \\
				\hline
				\multicolumn{1}{|c|}{\tt mtime} \\
				\hline
				64 \\
			\end{tabular}
		\end{center}
	}
	\vspace{-0.1in}
	\caption{Machine time register (memory-mapped control register).}
\end{figure}

\begin{figure}[h!]
	{\footnotesize
		\begin{center}
			\begin{tabular}{@{}J}
				\instbitrange{63}{0} \\
				\hline
				\multicolumn{1}{|c|}{\tt mtimecmp} \\
				\hline
				64 \\
			\end{tabular}
		\end{center}
	}
	\vspace{-0.1in}
	\caption{Machine time compare register (memory-mapped control register).}
\end{figure}

\begin{commentary}
	The timer facility is defined to use wall-clock time rather than a
	cycle counter to support modern processors that run with a highly
	variable clock frequency to save energy through dynamic voltage and
	frequency scaling.
	
	Accurate real-time clocks (RTCs) are relatively expensive to provide
	(requiring a crystal or MEMS oscillator) and have to run even when the
	rest of system is powered down, and so there is usually only one in a
	system located in a different frequency/voltage domain from the
	processors.  Hence, the RTC must be shared by all the harts in a
	system and accesses to the RTC will potentially incur the penalty of a
	voltage-level-shifter and clock-domain crossing.  It is thus more
	natural to expose {\tt mtime} as a memory-mapped register than as a CSR.
	
	Lower privilege levels do not have their own {\tt timecmp} registers.
	Instead, machine-mode software can implement any number of virtual timers on
	a hart by multiplexing the next timer interrupt into the {\tt mtimecmp}
	register.
	
	Simple fixed-frequency systems can use a single clock for both cycle
	counting and wall-clock time.
\end{commentary}

Writes to {\tt mtime} and {\tt mtimecmp} are guaranteed to be reflected in
MTIP eventually, but not necessarily immediately.

\begin{commentary}
	A spurious timer interrupt might occur if an interrupt handler increments {\tt
		mtimecmp} then immediately returns, because MTIP might not yet have fallen in
	the interim.  All software should be written to assume this event is possible,
	but most software should assume this event is extremely unlikely.  It is
	almost always more performant to incur an occasional spurious timer interrupt
	than to poll MTIP until it falls.
\end{commentary}

In RV32, memory-mapped writes to {\tt mtimecmp} modify only one 32-bit
part of the register.  The following code sequence sets a 64-bit {\tt
	mtimecmp} value without spuriously generating a timer interrupt due
to the intermediate value of the comparand:

\begin{figure}[h!]
	\begin{center}
		\begin{verbatim}
			# New comparand is in a1:a0.
			li t0, -1
			la t1, mtimecmp
			sw t0, 0(t1)     # No smaller than old value.
			sw a1, 4(t1)     # No smaller than new value.
			sw a0, 0(t1)     # New value.
		\end{verbatim}
	\end{center}
	\caption{Sample code for setting the 64-bit time comparand in RV32, assuming
		a little-endian memory system and that the registers live in a strongly
		ordered I/O region.  Storing -1 to the low-order bits of {\tt mtimecmp}
		prevents {\tt mtimecmp} from temporarily becoming smaller than the lesser
		of the old and new values.}
	\label{mtimecmph}
\end{figure}

For RV64, naturally aligned 64-bit memory accesses to the {\tt mtime} and {\tt
	mtimecmp} registers are atomic.

\section{Machine-Mode Privileged Instructions}

\subsection{Environment Call and Breakpoint}

\vspace{-0.2in}
\begin{center}
\begin{tabular}{M@{}R@{}F@{}R@{}S}
\\
\instbitrange{31}{20} &
\instbitrange{19}{15} &
\instbitrange{14}{12} &
\instbitrange{11}{7} &
\instbitrange{6}{0} \\
\hline
\multicolumn{1}{|c|}{funct12} &
\multicolumn{1}{c|}{rs1} &
\multicolumn{1}{c|}{funct3} &
\multicolumn{1}{c|}{rd} &
\multicolumn{1}{c|}{opcode} \\
\hline
12 & 5 & 3 & 5 & 7 \\
ECALL   & 0 & PRIV & 0 & SYSTEM \\
EBREAK  & 0 & PRIV & 0 & SYSTEM \\
\end{tabular}
\end{center}

The ECALL instruction is used to make a request to the supporting execution
environment.  When executed in U-mode, S-mode, or M-mode, it generates an
environment-call-from-U-mode exception, environment-call-from-S-mode exception, or environment-call-from-M-mode exception, respectively, and performs no other operation.
\begin{commentary}
ECALL generates a different exception for each originating privilege mode
so that environment call exceptions can be selectively delegated.  A typical
use case for Unix-like operating systems is to delegate to S-mode the
environment-call-from-U-mode exception but not the others.
\end{commentary}

The EBREAK instruction is used by debuggers to cause control to be transferred
back to a debugging environment.  It generates a breakpoint exception and
performs no other operation.
\begin{commentary}
As described in the ``C'' Standard Extension for Compressed Instructions in
Volume I of this manual, the C.EBREAK instruction performs the same operation
as the EBREAK instruction.
\end{commentary}

ECALL and EBREAK cause the receiving privilege mode's {\tt epc} register
to be set to the address of the ECALL or EBREAK instruction itself, {\em not}
the address of the following instruction.
As ECALL and EBREAK cause synchronous exceptions, they are not considered to
retire, and should not increment the {\tt minstret} CSR.

\subsection{Trap-Return Instructions}
\label{otherpriv}

Instructions to return from trap are encoded under the PRIV
minor opcode.

\vspace{-0.2in}
\begin{center}
\begin{tabular}{M@{}R@{}F@{}R@{}S}
\\
\instbitrange{31}{20} &
\instbitrange{19}{15} &
\instbitrange{14}{12} &
\instbitrange{11}{7} &
\instbitrange{6}{0} \\
\hline
\multicolumn{1}{|c|}{funct12} &
\multicolumn{1}{c|}{rs1} &
\multicolumn{1}{c|}{funct3} &
\multicolumn{1}{c|}{rd} &
\multicolumn{1}{c|}{opcode} \\
\hline
12 & 5 & 3 & 5 & 7 \\
MRET/SRET & 0 & PRIV & 0 & SYSTEM \\
\end{tabular}
\end{center}

To return after handling a trap, there are separate trap return
instructions per privilege level, MRET and SRET.  MRET is
always provided. SRET must be provided if supervisor mode is
supported, and should raise an illegal instruction exception otherwise. SRET
should also raise an illegal instruction exception when TSR=1 in {\tt mstatus},
as described in Section~\ref{virt-control}.
An {\em x}\/RET instruction can be executed in privilege mode {\em x}
or higher, where executing a lower-privilege {\em x}\/RET instruction
will pop the relevant lower-privilege interrupt enable and privilege
mode stack.  In addition to manipulating the privilege stack as
described in Section~\ref{privstack}, {\em x}\/RET sets the {\tt pc}
to the value stored in the {\em x}\/{\tt epc} register.

\begin{commentary}
Previously, there was only a single ERET instruction (which was also
earlier known as SRET).  To support the addition of user-level
interrupts, we needed to add a separate URET instruction to continue
to allow classic virtualization of OS code using the ERET instruction.
It then became more orthogonal to support a different {\em x}\/RET
instruction per privilege level.
\end{commentary}

If the A extension is supported, the {\em x}\/RET instruction is
allowed to clear any outstanding LR address reservation but is not
required to.  Trap handlers should explicitly clear the reservation if
required (e.g., by using a dummy SC) before executing the {\em x}\/RET.

\begin{commentary}
  If {\em x}\/RET instructions always cleared LR reservations, it would
  be impossible to single-step through LR/SC sequences using a
  debugger.
\end{commentary}

\subsection{Wait for Interrupt}
\label{wfi}

The Wait for Interrupt instruction (WFI) provides a hint to the
implementation that the current hart can be stalled until an interrupt
might need servicing.  Execution of the WFI instruction can also be
used to inform the hardware platform that suitable interrupts should
preferentially be routed to this hart.  WFI is available in all
privileged modes, and optionally available to U-mode.  This instruction may
raise an illegal instruction exception when TW=1 in {\tt mstatus}, as described
in Section~\ref{virt-control}.

\vspace{-0.2in}
\begin{center}
\begin{tabular}{M@{}R@{}F@{}R@{}S}
\\
\instbitrange{31}{20} &
\instbitrange{19}{15} &
\instbitrange{14}{12} &
\instbitrange{11}{7} &
\instbitrange{6}{0} \\
\hline
\multicolumn{1}{|c|}{funct12} &
\multicolumn{1}{c|}{rs1} &
\multicolumn{1}{c|}{funct3} &
\multicolumn{1}{c|}{rd} &
\multicolumn{1}{c|}{opcode} \\
\hline
12 & 5 & 3 & 5 & 7 \\
WFI  & 0 & PRIV & 0 & SYSTEM \\
\end{tabular}
\end{center}

If an enabled interrupt is present or later becomes present while the
hart is stalled, the interrupt exception will be taken on the
following instruction, i.e., execution resumes in the trap handler and
{\tt mepc} = {\tt pc} + 4.

\begin{commentary}
The following instruction takes the interrupt exception and trap, so
that a simple return from the trap handler will execute code after the
WFI instruction.
\end{commentary}

The purpose of the WFI instruction is to provide a hint to the implementation,
and so a legal implementation is to simply implement WFI as a NOP.

\begin{commentary}
If the implementation does not stall the hart on execution of the
instruction, then the interrupt will be taken on some instruction in
the idle loop containing the WFI, and on a simple return from the
handler, the idle loop will resume execution.
\end{commentary}

The WFI instruction can also be executed when interrupts are disabled.  The
operation of WFI must be unaffected by the global interrupt bits in {\tt
mstatus} (MIE and SIE) and the delegation register {\tt mideleg}
(i.e., the hart must resume if a locally enabled interrupt becomes pending,
even if it has been delegated to a less-privileged mode), but should honor the
individual interrupt enables (e.g, MTIE) (i.e., implementations should
avoid resuming the hart if the interrupt is pending but not
individually enabled).  WFI is also required to resume execution for
locally enabled interrupts pending at any privilege level, regardless
of the global interrupt enable at each privilege level.

If the event that causes the hart to resume execution does not cause
an interrupt to be taken, execution will resume at {\tt pc} + 4, and
software must determine what action to take, including looping back to
repeat the WFI if there was no actionable event.

\begin{commentary}
By allowing wakeup when interrupts are disabled, an alternate entry
point to an interrupt handler can be called that does not require
saving the current context, as the current context can be saved or
discarded before the WFI is executed.

As implementations are free to implement WFI as a NOP, software must
explicitly check for any relevant pending but disabled interrupts in
the code following an WFI, and should loop back to the WFI if no
suitable interrupt was detected.  The {\tt mip}, {\tt sip},
or {\tt uip} registers can be interrogated to determine the presence
of any interrupt in machine, supervisor, or user mode
respectively.

The operation of WFI is unaffected by the delegation register settings.

WFI is defined so that an implementation can trap into a higher
privilege mode, either immediately on encountering the WFI or after
some interval to initiate a machine-mode transition to a lower power
state, for example.
\end{commentary}

\begin{commentary}
The same ``wait-for-event'' template might be used for possible future
extensions that wait on memory locations changing, or message
arrival.
\end{commentary}

\section{Reset}
\label{sec:reset}

Upon reset, a hart's privilege mode is set to M.  The {\tt mstatus} fields MIE
and MPRV are reset to 0.
If little-endian memory accesses are supported, the {\tt mstatus}/{\tt mstatush}
field MBE is reset to 0.
The {\tt misa} register is reset to enable the maximal set of supported
extensions and widest MXLEN, as described in Section~\ref{sec:misa}.
The {\tt pc} is set to an implementation-defined
reset vector.  The {\tt mcause} register is set to a value indicating the
cause of the reset.
Writable PMP registers' A and L fields are set to 0, unless the platform
mandates a different reset value for some PMP registers' A and L fields.
All other hart state is \unspecified.

The {\tt mcause} values after reset have implementation-specific
interpretation, but the value 0 should be returned on implementations
that do not distinguish different reset conditions. Implementations
that distinguish different reset conditions should only use 0 to
indicate the most complete reset (e.g., hard reset).

\begin{commentary}
Some designs may have multiple causes of reset (e.g., power-on reset,
external hard reset, brownout detected, watchdog timer elapse,
sleep-mode wakeup), which machine-mode software and debuggers may wish
to distinguish.

{\tt mcause} reset values may alias {\tt mcause} values following synchronous
exceptions.  There should be no ambiguity in this overlap, since on reset the
{\tt pc} is typically set to a different value than on other traps.
\end{commentary}

\section{Non-Maskable Interrupts}
\label{sec:nmi}

Non-maskable interrupts (NMIs) are only used for hardware error
conditions, and cause an immediate jump to an implementation-defined
NMI vector running in M-mode regardless of the state of a hart's
interrupt enable bits.  The {\tt mepc} register is written with the
virtual address of the instruction that was interrupted,
and {\tt mcause} is set to a value indicating the source of the
NMI.  The NMI can thus overwrite state in an active machine-mode
interrupt handler.

The values written to {\tt mcause} on an NMI are
implementation-defined.  The high Interrupt bit of {\tt mcause} should
be set to indicate that this was an interrupt.  An Exception Code of 0
is reserved to mean ``unknown cause'' and implementations that do not
distinguish sources of NMIs via the {\tt mcause} register should
return 0 in the Exception Code.

Unlike resets, NMIs do not reset processor state, enabling diagnosis,
reporting, and possible containment of the hardware error.

\section{Physical Memory Attributes}
\label{sec:pma}

The physical memory map for a complete system includes various address
ranges, some corresponding to memory regions, some to memory-mapped
control registers, and some to vacant holes in the address space.  Some
memory regions might not support reads, writes, or execution; some
might not support subword or subblock accesses; some might not support
atomic operations; and some might not support cache coherence or might
have different memory models.  Similarly, memory-mapped control
registers vary in their supported access widths, support for atomic
operations, and whether read and write accesses have associated side
effects.  In RISC-V systems, these properties and capabilities of each
region of the machine's physical address space are termed {\em
  physical memory attributes} (PMAs).  This section describes RISC-V
PMA terminology and how RISC-V systems implement and check PMAs.

PMAs are inherent properties of the underlying hardware and rarely
change during system operation.  Unlike physical memory protection
values described in Section~\ref{sec:pmp}, PMAs do not vary by
execution context.  The PMAs of some memory regions are fixed at chip
design time---for example, for an on-chip ROM.  Others are fixed at
board design time, depending, for example, on which other chips are
connected to off-chip buses.  Off-chip buses might also support
devices that could be changed on every power cycle (cold pluggable) or
dynamically while the system is running (hot pluggable).  Some devices
might be configurable at run time to support different uses that imply
different PMAs---for example, an on-chip scratchpad RAM might be
cached privately by one core in one end-application, or accessed as a
shared non-cached memory in another end-application.

Most systems will require that at least some PMAs are dynamically
checked in hardware later in the execution pipeline after the physical
address is known, as some operations will not be supported at all
physical memory addresses, and some operations require knowing the
current setting of a configurable PMA attribute.  While many other architectures
specify some PMAs in the virtual memory page tables and use the TLB to
inform the pipeline of these properties, this approach injects platform-specific
information into a virtualized layer and can cause system errors
unless attributes are correctly initialized in each page-table entry
for each physical memory region.  In addition, the available
page sizes might not be optimal for specifying attributes in the
physical memory space, leading to address-space fragmentation and
inefficient use of expensive TLB entries.

For RISC-V, we separate out specification and checking of PMAs into a
separate hardware structure, the {\em PMA checker}.  In many cases,
the attributes are known at system design time for each physical
address region, and can be hardwired into the PMA checker.  Where the
attributes are run-time configurable, platform-specific memory-mapped
control registers can be provided to specify these attributes at a
granularity appropriate to each region on the platform (e.g., for an
on-chip SRAM that can be flexibly divided between cacheable and
uncacheable uses).  PMAs are checked for any access to physical
memory, including accesses that have undergone virtual to physical
memory translation.  To aid in system debugging, we strongly recommend
that, where possible, RISC-V processors precisely trap physical memory
accesses that fail PMA checks.  Precisely trapped PMA violations manifest
as instruction, load, or store access-fault exceptions, distinct from
virtual-memory page-fault exceptions. Precise PMA traps might not always be
possible, for example, when probing a legacy bus architecture that
uses access failures as part of the discovery mechanism.  In this
case, error responses from slave devices will be reported as imprecise
bus-error interrupts.

PMAs must also be readable by software to correctly access certain
devices or to correctly configure other hardware components that
access memory, such as DMA engines.  As PMAs are tightly tied to a
given physical platform's organization, many details are inherently
platform-specific, as is the means by which software can learn the PMA
values for a platform.  Some
devices, particularly legacy buses, do not support discovery of PMAs
and so will give error responses or time out if an unsupported access
is attempted.  Typically, platform-specific machine-mode code will
extract PMAs and ultimately present this information to higher-level
less-privileged software using some standard representation.

Where platforms support dynamic reconfiguration of PMAs, an interface
will be provided to set the attributes by passing requests to a
machine-mode driver that can correctly reconfigure the platform.  For
example, switching cacheability attributes on some memory regions
might involve platform-specific operations, such as cache flushes,
that are available only to machine-mode.

\subsection{Main Memory versus I/O versus Vacant Regions}

The most important characterization of a given memory address range is
whether it holds regular main memory, or I/O devices, or is vacant.
Regular main memory is required to have a number of properties,
specified below, whereas I/O devices can have a much broader range of
attributes.  Memory regions that do not fit into regular main
memory, for example, device scratchpad RAMs, are categorized as I/O
regions.  Vacant regions are also classified as I/O regions but with
attributes specifying that no accesses are supported.

\subsection{Supported Access Type PMAs}

Access types specify which access widths, from 8-bit byte to long
multi-word burst, are supported, and also whether misaligned accesses
are supported for each access width.

\begin{commentary}
Although software running on a RISC-V hart cannot directly generate
bursts to memory, software might have to program DMA engines to access
I/O devices and might therefore need to know which access sizes are
supported.
\end{commentary}

Main memory regions always support read and write of all
access widths required by the attached devices, and can
specify whether instruction fetch is supported.

\begin{commentary}
Some platforms might mandate that all of main memory support instruction
fetch.
Other platforms might prohibit instruction fetch from some main memory
regions.
\end{commentary}

\begin{commentary}
In some cases, the design of a processor or device accessing main
memory might support other widths, but must be able to function with
the types supported by the main memory.
\end{commentary}

I/O regions can specify which combinations of read, write, or execute
accesses to which data widths are supported.

For systems with page-based virtual memory, I/O and memory regions can
specify which combinations of hardware page-table reads and hardware
page-table writes are supported.

\begin{commentary}
Unix-like operating systems generally require that all of cacheable main
memory supports page-table walks.
\end{commentary}

\subsection{Atomicity PMAs}

Atomicity PMAs describes which atomic instructions are supported in
this address region.
Support for atomic instructions is divided into two
categories: {\em LR/SC} and {\em AMOs}.

\begin{commentary}
Some platforms might mandate that all of cacheable main memory support
all atomic operations required by the attached processors.
\end{commentary}

\subsubsection{AMO PMA}

  Within AMOs, there are four levels of
support: {\em AMONone}, {\em AMOSwap}, {\em AMOLogical}, and {\em
  AMOArithmetic}.  AMONone indicates that no AMO operations are
supported.  AMOSwap indicates that only {\tt amoswap} instructions are
supported in this address range.  AMOLogical indicates that swap
instructions plus all the logical AMOs ({\tt amoand}, {\tt amoor},
{\tt amoxor}) are supported.  AMOArithmetic indicates that all RISC-V
AMOs are supported.  For each level of support, naturally aligned AMOs
of a given width are supported if the underlying memory region
supports reads and writes of that width.
Main memory and I/O regions may only support a subset or none of the
processor-supported atomic operations.

\begin{table*}[h!]
\begin{center}
\begin{tabular}{|l|l|}
  \hline
  AMO Class & Supported Operations \\
  \hline
  AMONone       & {\em None} \\
  AMOSwap       & {\tt amoswap} \\
  AMOLogical    & above + {\tt amoand}, {\tt amoor}, {\tt amoxor} \\
  AMOArithmetic & above + {\tt amoadd}, {\tt amomin}, {\tt amomax}, {\tt amominu}, {\tt amomaxu} \\
  \hline
\end{tabular}
\end{center}
\caption{Classes of AMOs supported by I/O regions.}
\label{amoclasses}
\end{table*}

\begin{commentary}
We recommend providing at least AMOLogical support for I/O regions
where possible.
\end{commentary}

\subsubsection{Reservability PMA}

For {\em LR/SC}, there are three levels of support indicating combinations of
the reservability and eventuality properties:  {\em RsrvNone},
{\em RsrvNonEventual}, and {\em RsrvEventual}.
RsrvNone indicates that no LR/SC operations are supported (the location is
non-reservable).  RsrvNonEventual indicates that the operations are supported
(the location is reservable), but without the eventual success guarantee
described in the unprivileged ISA specification.  RsrvEventual indicates that
the operations are supported and provide the eventual success guarantee.

\begin{commentary}
We recommend providing RsrvEventual support for main memory regions
where possible.  Most I/O regions will not support LR/SC accesses, as
these are most conveniently built on top of a cache-coherence scheme, but some
may support RsrvNonEventual or RsrvEventual.
\end{commentary}

\begin{commentary}
When LR/SC is used for memory locations marked RsrvNonEventual, software should
provide alternative fall-back mechanisms used when lack of progress is
detected.
\end{commentary}

\subsubsection{Alignment}

Memory regions that support aligned LR/SC or aligned AMOs might also support
misaligned LR/SC or misaligned AMOs for some addresses and access widths.  If,
for a given address and access width, a misaligned LR/SC or AMO generates
an address-misaligned exception, then {\em all} loads, stores, LRs/SCs, and
AMOs using that address and access width must generate address-misaligned
exceptions.
\begin{commentary}
The standard ``A'' extension does not support misaligned AMOs or LR/SC pairs.
Support for misaligned AMOs is provided by the standard ``Zam'' extension.
Support for misaligned LR/SC sequences is not currently standardized,
so LR and SC to misaligned addresses must raise an exception.

Mandating that misaligned loads and stores raise address-misaligned exceptions
wherever misaligned AMOs raise address-misaligned exceptions permits the
emulation of misaligned AMOs in an M-mode trap handler.  The handler
guarantees atomicity by acquiring a global mutex and emulating the access
within the critical section.  Provided that the handler for misaligned loads
and stores uses the same mutex, all accesses to a given address that use the
same word size will be mutually atomic.
\end{commentary}

Implementations may raise access-fault exceptions instead of address-misaligned
exceptions for some misaligned accesses, indicating the instruction should not
be emulated by a trap handler.  If, for a given address and access width, all
misaligned LRs/SCs and AMOs generate access-fault exceptions, then regular
misaligned loads and stores using the same address and access width are not
required to execute atomically.

\subsection{Memory-Ordering PMAs}

Regions of the address space are classified as either {\em main
  memory} or {\em I/O} for the purposes of ordering by the FENCE
instruction and atomic-instruction ordering bits.

Accesses by one hart to main memory regions are observable not only by
other harts but also by other devices with the capability to initiate
requests in the main memory system (e.g., DMA engines).
Coherent main memory regions always have either the RVWMO or RVTSO memory
model.
Incoherent main memory regions have an implementation-defined memory model.

Accesses by one hart to an I/O region are observable not only by other harts
and bus mastering devices but also by targeted slave I/O devices, and I/O
regions may be accessed with either {\em relaxed} or {\em strong} ordering.
Accesses to an I/O region with relaxed ordering are generally observed by
other harts and bus mastering devices in a manner similar to the ordering of
accesses to an RVWMO memory region, as discussed in Section A.4.2 in Volume
I of this specification.
By contrast, accesses to an I/O region with strong ordering are generally
observed by other harts and bus mastering devices in program order.

Each strongly ordered I/O region specifies a numbered ordering
channel, which is a mechanism by which ordering guarantees can be
provided between different I/O regions.  Channel 0 is used to indicate
point-to-point strong ordering only, where only accesses by the hart to the
single associated I/O region are strongly ordered.

Channel 1 is used to provide global strong ordering across all I/O
regions.  Any accesses by a hart to any I/O region associated with
channel 1 can only be observed to have occurred in program order by all
other harts and I/O devices, including relative to accesses made by
that hart to relaxed I/O regions or strongly ordered I/O regions with
different channel numbers.  In other words, any access to a region in
channel 1 is equivalent to executing a {\tt fence io,io}
instruction before and after the instruction.

Other larger channel numbers provide program ordering to accesses by
that hart across any regions with the same channel number.

Systems might support dynamic configuration of ordering properties on
each memory region.

\begin{commentary}
Strong ordering can be used to improve compatibility with legacy
device driver code, or to enable increased performance compared to
insertion of explicit ordering instructions when the implementation is
known to not reorder accesses.

Local strong ordering (channel 0) is the default form of strong
ordering as it is often straightforward to provide if there is only a
single in-order communication path between the hart and the I/O
device.

Generally, different strongly ordered I/O regions can share the same
ordering channel without additional ordering hardware if they share
the same interconnect path and the path does not reorder requests.
\end{commentary}

\subsection{Coherence and Cacheability PMAs}

Coherence is a property defined for a single physical address, and
indicates that writes to that address by one agent will eventually be
made visible to other agents in the system.  Coherence is not to be
confused with the memory consistency model of a system, which defines
what values a memory read can return given the previous history of
reads and writes to the entire memory system.  In RISC-V platforms,
the use of hardware-incoherent regions is discouraged due to software
complexity, performance, and energy impacts.

The cacheability of a memory region should not affect the software
view of the region except for differences reflected in other PMAs,
such as main memory versus I/O classification, memory ordering,
supported accesses and atomic operations, and coherence.  For this
reason, we treat cacheability as a platform-level setting managed by
machine-mode software only.

Where a platform supports configurable cacheability settings for a
memory region, a platform-specific machine-mode routine will change
the settings and flush caches if necessary, so the system is only
incoherent during the transition between cacheability settings.  This
transitory state should not be visible to lower privilege levels.

\begin{commentary}
We categorize RISC-V caches into three types: {\em master-private},
{\em shared}, and {\em slave-private}.  Master-private caches are
attached to a single master agent, i.e., one that issues read/write
requests to the memory system.  Shared caches are located between
masters and slaves and may be hierarchically organized.  Slave-private
caches do not impact coherence, as they are local to a single slave
and do not affect other PMAs at a master, so are not considered
further here.  We use {\em private cache} to mean a master-private
cache in the following section, unless explicitly stated otherwise.

Coherence is straightforward to provide for a shared memory region
that is not cached by any agent.  The PMA for such a region would
simply indicate it should not be cached in a private or shared cache.

Coherence is also straightforward for read-only regions, which can be
safely cached by multiple agents without requiring a cache-coherence
scheme.  The PMA for this region would indicate that it can be cached,
but that writes are not supported.

Some read-write regions might only be accessed by a single agent, in
which case they can be cached privately by that agent without
requiring a coherence scheme.  The PMA for such regions would indicate
they can be cached.  The data can also be cached in a shared cache, as
other agents should not access the region.

If an agent can cache a read-write region that is accessible by other
agents, whether caching or non-caching, a cache-coherence scheme is
required to avoid use of stale values.  In regions lacking hardware
cache coherence (hardware-incoherent regions), cache coherence can be
implemented entirely in software, but software coherence schemes are
notoriously difficult to implement correctly and often have severe
performance impacts due to the need for conservative software-directed
cache-flushing.  Hardware cache-coherence schemes require more complex
hardware and can impact performance due to the cache-coherence probes,
but are otherwise invisible to software.

For each hardware cache-coherent region, the PMA would indicate that
the region is coherent and which hardware coherence controller to use
if the system has multiple coherence controllers.  For some systems,
the coherence controller might be an outer-level shared cache, which
might itself access further outer-level cache-coherence controllers
hierarchically.

Most memory regions within a platform will be coherent to software,
because they will be fixed as either uncached, read-only, hardware
cache-coherent, or only accessed by one agent.
\end{commentary}

\subsection{Idempotency PMAs}

Idempotency PMAs describe whether reads and writes to an address
region are idempotent.  Main memory regions are assumed to be
idempotent.  For I/O regions, idempotency on reads and writes can be
specified separately (e.g., reads are idempotent but writes are not).
If accesses are non-idempotent, i.e., there is potentially a side
effect on any read or write access, then speculative or redundant
accesses must be avoided.

For the purposes of defining the idempotency PMAs, changes in observed
memory ordering created by redundant accesses are not considered a
side effect.

\begin{commentary}
While hardware should always be designed to avoid speculative or
redundant accesses to memory regions marked as non-idempotent, it is
also necessary to ensure software or compiler optimizations do not
generate spurious accesses to non-idempotent memory regions.
\end{commentary}

\begin{commentary}
Non-idempotent regions might not support misaligned accesses.  Misaligned
accesses to such regions should raise access-fault exceptions rather than
address-misaligned exceptions, indicating that software should not emulate the
misaligned access using multiple smaller accesses, which could cause
unexpected side effects.
\end{commentary}

\section{Physical Memory Protection}
\label{sec:pmp}

To support secure processing and contain faults, it is desirable to
limit the physical addresses accessible by software running on a hart.
An optional physical memory protection (PMP) unit provides
per-hart machine-mode control registers to allow
physical memory access privileges (read, write, execute) to be
specified for each physical memory region.  The PMP values are checked
in parallel with the PMA checks described in Section~\ref{sec:pma}.

The granularity of PMP access control settings are platform-specific,
but the standard PMP
encoding supports regions as small as four bytes.  Certain regions' privileges
can be hardwired---for example, some regions might only ever be visible in
machine mode but in no lower-privilege layers.

\begin{commentary}
Platforms vary widely in demands for physical memory protection, and
some platforms may provide other PMP structures in addition to or
instead of the scheme described in this section.
\end{commentary}

PMP checks are applied to all accesses whose effective privilege mode is S or
U, including instruction fetches in S and U mode, data accesses in S and
U mode when the MPRV bit in the {\tt mstatus} register is clear, and data
accesses in any mode when the MPRV bit in {\tt mstatus} is set and the MPP
field in {\tt mstatus} contains S or U.
PMP checks are also applied to page-table
accesses for virtual-address translation, for which the effective
privilege mode is S.  Optionally, PMP checks may additionally apply
to M-mode accesses, in which case the PMP registers themselves are
locked, so that even M-mode software cannot change them until the hart is
reset.  In effect, PMP can {\em grant} permissions to S and U
modes, which by default have none, and can {\em revoke} permissions
from M-mode, which by default has full permissions.

PMP violations are always trapped precisely at the processor.

\subsection{Physical Memory Protection CSRs}

PMP entries are described by an 8-bit configuration register and one MXLEN-bit
address register.  Some PMP settings additionally use the address register
associated with the preceding PMP entry.
Up to 64 PMP entries are supported.
Implementations may implement zero, 16, or 64 PMP CSRs.
All PMP CSR fields are \warl\ and may be hardwired to zero.
PMP CSRs are only accessible to M-mode.

The PMP configuration registers are densely packed into CSRs to minimize
context-switch time.
For RV32, sixteen CSRs, {\tt pmpcfg0}--{\tt pmpcfg15}, hold the configurations
{\tt pmp0cfg}--{\tt pmp63cfg} for the 64 PMP entries, as shown in
Figure~\ref{pmpcfg-rv32}.
For RV64, eight even-numbered CSRs,
{\tt pmpcfg0}, {\tt pmpcfg2}, \ldots, {\tt pmpcfg14}, hold the configurations
for the 64 PMP entries, as shown in Figure~\ref{pmpcfg-rv64}.
For RV64, the odd-numbered configuration registers,
{\tt pmpcfg1}, {\tt pmpcfg3}, \ldots, {\tt pmpcfg15}, are illegal.

\begin{commentary}
RV64 systems use {\tt pmpcfg2}, rather than {\tt pmpcfg1}, to hold
configurations for PMP entries 8--15.  This design reduces the cost of
supporting multiple MXLEN values, since the configurations for PMP
entries 8--11 appear in {\tt pmpcfg2}[31:0] for both RV32 and RV64.
\end{commentary}

\begin{figure}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{@{}Y@{}Y@{}Y@{}Yl}
\instbitrange{31}{24} &
\instbitrange{23}{16} &
\instbitrange{15}{8} &
\instbitrange{7}{0} & \\
\cline{1-4}
\multicolumn{1}{|c|}{pmp3cfg} &
\multicolumn{1}{c|}{pmp2cfg} &
\multicolumn{1}{c|}{pmp1cfg} &
\multicolumn{1}{c|}{pmp0cfg} &
\tt pmpcfg0 \\
\cline{1-4}
8 & 8 & 8 & 8 & \\
\instbitrange{31}{24} &
\instbitrange{23}{16} &
\instbitrange{15}{8} &
\instbitrange{7}{0} & \\
\cline{1-4}
\multicolumn{1}{|c|}{pmp7cfg} &
\multicolumn{1}{c|}{pmp6cfg} &
\multicolumn{1}{c|}{pmp5cfg} &
\multicolumn{1}{c|}{pmp4cfg} &
\tt pmpcfg1 \\
\cline{1-4}
8 & 8 & 8 & 8 & \\
~ \\
\multicolumn{4}{c}{\Huge\vdots} & \ \\
~ \\
\instbitrange{31}{24} &
\instbitrange{23}{16} &
\instbitrange{15}{8} &
\instbitrange{7}{0} & \\
\cline{1-4}
\multicolumn{1}{|c|}{pmp63cfg} &
\multicolumn{1}{c|}{pmp62cfg} &
\multicolumn{1}{c|}{pmp61cfg} &
\multicolumn{1}{c|}{pmp60cfg} &
\tt pmpcfg15 \\
\cline{1-4}
8 & 8 & 8 & 8 & \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{RV32 PMP configuration CSR layout.}
\label{pmpcfg-rv32}
\end{figure}

\begin{figure}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{@{}Y@{}Y@{}Y@{}Y@{}Y@{}Y@{}Y@{}Yl}
\instbitrange{63}{56} &
\instbitrange{55}{48} &
\instbitrange{47}{40} &
\instbitrange{39}{32} &
\instbitrange{31}{24} &
\instbitrange{23}{16} &
\instbitrange{15}{8} &
\instbitrange{7}{0} & \\
\cline{1-8}
\multicolumn{1}{|c|}{pmp7cfg} &
\multicolumn{1}{c|}{pmp6cfg} &
\multicolumn{1}{c|}{pmp5cfg} &
\multicolumn{1}{c|}{pmp4cfg} &
\multicolumn{1}{c|}{pmp3cfg} &
\multicolumn{1}{c|}{pmp2cfg} &
\multicolumn{1}{c|}{pmp1cfg} &
\multicolumn{1}{c|}{pmp0cfg} &
\tt pmpcfg0 \\
\cline{1-8}
8 & 8 & 8 & 8 & 8 & 8 & 8 & 8 & \\
\instbitrange{63}{56} &
\instbitrange{55}{48} &
\instbitrange{47}{40} &
\instbitrange{39}{32} &
\instbitrange{31}{24} &
\instbitrange{23}{16} &
\instbitrange{15}{8} &
\instbitrange{7}{0} & \\
\cline{1-8}
\multicolumn{1}{|c|}{pmp15cfg} &
\multicolumn{1}{c|}{pmp14cfg} &
\multicolumn{1}{c|}{pmp13cfg} &
\multicolumn{1}{c|}{pmp12cfg} &
\multicolumn{1}{c|}{pmp11cfg} &
\multicolumn{1}{c|}{pmp10cfg} &
\multicolumn{1}{c|}{pmp9cfg} &
\multicolumn{1}{c|}{pmp8cfg} &
\tt pmpcfg2 \\
\cline{1-8}
8 & 8 & 8 & 8 & 8 & 8 & 8 & 8 & \\
~ \\
\multicolumn{8}{c}{\Huge\vdots} & \ \\
~ \\
\instbitrange{63}{56} &
\instbitrange{55}{48} &
\instbitrange{47}{40} &
\instbitrange{39}{32} &
\instbitrange{31}{24} &
\instbitrange{23}{16} &
\instbitrange{15}{8} &
\instbitrange{7}{0} & \\
\cline{1-8}
\multicolumn{1}{|c|}{pmp63cfg} &
\multicolumn{1}{c|}{pmp62cfg} &
\multicolumn{1}{c|}{pmp61cfg} &
\multicolumn{1}{c|}{pmp60cfg} &
\multicolumn{1}{c|}{pmp59cfg} &
\multicolumn{1}{c|}{pmp58cfg} &
\multicolumn{1}{c|}{pmp57cfg} &
\multicolumn{1}{c|}{pmp56cfg} &
\tt pmpcfg14 \\
\cline{1-8}
8 & 8 & 8 & 8 & 8 & 8 & 8 & 8 & \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{RV64 PMP configuration CSR layout.}
\label{pmpcfg-rv64}
\end{figure}

The PMP address registers are CSRs named {\tt pmpaddr0}--{\tt pmpaddr63}.
Each PMP address register encodes bits 33--2 of a 34-bit physical address for
RV32, as shown in Figure~\ref{pmpaddr-rv32}.  For RV64, each PMP address
register encodes bits 55--2 of a 56-bit physical address, as shown in
Figure~\ref{pmpaddr-rv64}.  Not all physical address bits may be implemented,
and so the {\tt pmpaddr} registers are \warl.

\begin{commentary}
The Sv32 page-based virtual-memory scheme described in Section~\ref{sec:sv32}
supports 34-bit physical addresses for RV32, so the PMP scheme must support
addresses wider than XLEN for RV32.
The Sv39 and Sv48 page-based virtual-memory schemes described in
Sections~\ref{sec:sv39} and~\ref{sec:sv48} support a 56-bit physical address
space, so the RV64 PMP address registers impose the same limit.
\end{commentary}

\begin{figure}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{@{}J}
\instbitrange{31}{0} \\
\hline
\multicolumn{1}{|c|}{address[33:2] (\warl)} \\
\hline
32 \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{PMP address register format, RV32.}
\label{pmpaddr-rv32}
\end{figure}

\begin{figure}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{@{}F@{}J}
\instbitrange{63}{54} &
\instbitrange{53}{0} \\
\hline
\multicolumn{1}{|c|}{0 (\warl)} &
\multicolumn{1}{c|}{address[55:2] (\warl)} \\
\hline
10 & 54 \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{PMP address register format, RV64.}
\label{pmpaddr-rv64}
\end{figure}

Figure~\ref{pmpcfg} shows the layout of a PMP configuration register.  The R,
W, and X bits, when set, indicate that the PMP entry permits read, write, and
instruction execution, respectively.  When one of these bits is clear, the
corresponding access type is denied.  The combination R=0 and W=1 is reserved
for future use.  The remaining two fields, A and L, are
described in the following sections.

\begin{figure}[h!]
{\footnotesize
\begin{center}
\begin{tabular}{YSSYYY}
\instbit{7} &
\instbitrange{6}{5} &
\instbitrange{4}{3} &
\instbit{2} &
\instbit{1} &
\instbit{0} \\
\hline
\multicolumn{1}{|c|}{L (\warl)} &
\multicolumn{1}{c|}{0 (\warl)} &
\multicolumn{1}{c|}{A (\warl)} &
\multicolumn{1}{c|}{X (\warl)} &
\multicolumn{1}{c|}{W (\warl)} &
\multicolumn{1}{c|}{R (\warl)}
\\
\hline
1 & 2 & 2 & 1 & 1 & 1 \\
\end{tabular}
\end{center}
}
\vspace{-0.1in}
\caption{PMP configuration register format.}
\label{pmpcfg}
\end{figure}

Attempting to fetch an instruction from a PMP region that does not have execute
permissions raises an instruction access-fault exception.  Attempting to execute
a load or load-reserved instruction which accesses a physical address within
a PMP region without read permissions raises a load access-fault exception.
Attempting to execute a store, store-conditional,
or AMO instruction which accesses a physical address within a PMP region without
write permissions raises a store access-fault exception.

If MXLEN is changed, the contents of the {\tt pmp{\em x}cfg} fields are
preserved, but appear in the {\tt pmpcfg{\em y}} CSR prescribed by the new
setting of MXLEN.  For example, when MXLEN is changed from 64 to 32, {\tt
pmp4cfg} moves from {\tt pmpcfg0}[39:32] to {\tt pmpcfg1}[7:0].  The {\tt
pmpaddr} CSRs follow the usual CSR width modulation rules described in
Section~\ref{sec:csrwidthmodulation}.

\subsubsection*{Address Matching}

The A field in a PMP entry's configuration register encodes the
address-matching mode of the associated PMP address register.  The encoding of
this field is shown in Table~\ref{pmpcfg-a}.  When A=0, this PMP entry is
disabled and matches no addresses.  Two other address-matching modes are
supported: naturally aligned power-of-2 regions (NAPOT), including the special
case of naturally aligned four-byte regions (NA4); and the top boundary of an
arbitrary range (TOR).  These modes support four-byte granularity.

\begin{table*}[h!]
\begin{center}
\begin{tabular}{|r|c|l|}
\hline
A & Name & Description \\
\hline
0 & OFF   & Null region (disabled) \\
1 & TOR   & Top of range \\
2 & NA4   & Naturally aligned four-byte region \\
3 & NAPOT & Naturally aligned power-of-two region, $\ge$8 bytes \\
\hline
\end{tabular}
\end{center}
\caption{Encoding of A field in PMP configuration registers.}
\label{pmpcfg-a}
\end{table*}

NAPOT ranges make use of the low-order bits of the associated address register
to encode the size of the range, as shown in Table~\ref{pmpcfg-napot}.

\begin{table*}[h!]
\begin{center}
  \begin{tabular}{|c|c|l|}
  \hline
  \tt pmpaddr    & {\tt pmpcfg}.A & Match type and size \\
  \hline
  \tt yyyy...yyyy & NA4   & 4-byte NAPOT range \\
  \tt yyyy...yyy0 & NAPOT & 8-byte NAPOT range \\
  \tt yyyy...yy01 & NAPOT & 16-byte NAPOT range \\
  \tt yyyy...y011 & NAPOT & 32-byte NAPOT range \\
  \multicolumn{1}{|c|}{\ldots} &  \ldots  & \multicolumn{1}{|c|}{\ldots} \\
  \tt yy01...1111 & NAPOT & $2^{\text{XLEN}}$-byte NAPOT range \\
  \tt y011...1111 & NAPOT & $2^{\text{XLEN}+1}$-byte NAPOT range \\
  \tt 0111...1111 & NAPOT & $2^{\text{XLEN}+2}$-byte NAPOT range \\
  \tt 1111...1111 & NAPOT & $2^{\text{XLEN}+3}$-byte NAPOT range \\
  \hline
  \end{tabular}
\end{center}
\caption{NAPOT range encoding in PMP address and configuration registers.}
\label{pmpcfg-napot}
\end{table*}

If TOR is selected, the associated address register forms the top of the
address range, and the preceding PMP address register forms the bottom of the
address range.  If PMP entry $i$'s A field is set to TOR, the entry matches
any address $y$ such that ${\tt pmpaddr}_{i-1}\leq y < {\tt pmpaddr}_i$
(irrespective of the value of ${\tt pmpcfg}_{i-1}$).
If
PMP entry 0's A field is set to TOR, zero is used for the lower bound, and so
it matches any address $y < {\tt pmpaddr}_0$.

\begin{commentary}
If ${\tt pmpaddr}_{i-1}\geq {\tt pmpaddr}_i$ and ${\tt pmpcfg_i.A}$=TOR,
then PMP entry $i$ matches no addresses.
\end{commentary}

Although the PMP mechanism supports regions as small as four bytes, platforms
may specify coarser PMP regions. In general, the PMP grain is $2^{G+2}$ bytes
and must be the same across all PMP regions.  When $G \geq 1$, the NA4 mode
is not selectable.  When $G \geq 2$ and ${\tt pmpcfg}_i$.A[1] is set, i.e.
the mode is NAPOT, then bits ${\tt pmpaddr}_i$[G-2:0] read as all ones.  When
$G \geq 1$ and ${\tt pmpcfg}_i$.A[1] is clear, i.e. the mode is OFF or TOR,
then bits ${\tt pmpaddr}_i$[G-1:0] read as all zeros.  Bits ${\tt
pmpaddr}_i$[G-1:0] do not affect the TOR address-matching logic.
Although changing ${\tt pmpcfg}_i$.A[1] affects the value read from
${\tt pmpaddr}_i$, it does not affect the underlying value stored in that
register---in particular, ${\tt pmpaddr}_i$[G-1] retains its original value
when ${\tt pmpcfg}_i$.A is changed from NAPOT to TOR/OFF then back to NAPOT.

\begin{commentary}
Software may determine the PMP granularity by writing zero to {\tt pmp0cfg},
then writing all ones to {\tt pmpaddr0}, then reading back {\tt pmpaddr0}.
If $G$ is the index of the least-significant bit set,
the PMP granularity is $2^{G+2}$ bytes.
\end{commentary}

If the current XLEN is greater than MXLEN, the PMP address registers are
zero-extended from MXLEN to XLEN bits for the purposes of address matching.

\subsubsection*{Locking and Privilege Mode}

The L bit indicates that the PMP entry is locked, i.e., writes to the
configuration register and associated address registers are ignored.  Locked
PMP entries remain locked until the hart is reset.  If PMP entry $i$ is
locked, writes to {\tt pmp}$i${\tt cfg} and {\tt pmpaddr}$i$ are ignored.
Additionally, if PMP entry~$i$ is locked and {\tt pmp}$i${\tt cfg}.A is set
to TOR, writes to {\tt pmpaddr}$i$-1 are ignored.

\begin{commentary}
Setting the L bit locks the PMP entry even when the A field is set to OFF.
\end{commentary}

In addition to locking the PMP entry, the L bit indicates whether the R/W/X
permissions are enforced on M-mode accesses.  When the L bit is set, these
permissions are enforced for all privilege modes.  When the L bit is clear,
any M-mode access matching the PMP entry will succeed; the R/W/X
permissions apply only to S and U modes.

\subsubsection*{Priority and Matching Logic}

PMP entries are statically prioritized.  The lowest-numbered PMP entry that
matches any byte of an access determines whether that access succeeds or
fails.  The matching PMP entry must match all bytes of an access, or the
access fails, irrespective of the L, R, W, and X bits.  For example, if a PMP
entry is configured to match the four-byte range {\tt 0xC}--{\tt 0xF}, then an
8-byte access to the range {\tt 0x8}--{\tt 0xF} will fail, assuming that
PMP entry is the highest-priority entry that matches those addresses.

If a PMP entry matches all bytes of an access, then the L, R, W, and X bits
determine whether the access succeeds or fails.  If the L bit is clear and the
privilege mode of the access is M, the access succeeds.  Otherwise, if the
L bit is set or the privilege mode of the access is S or U, then the access
succeeds only if the R, W, or X bit corresponding to the access type is set.

If no PMP entry matches an M-mode access, the access succeeds.  If no PMP
entry matches an S-mode or U-mode access, but at least one PMP entry is
implemented, the access fails.

\begin{commentary}
If at least one PMP entry is implemented, but all PMP entries' A fields are
set to OFF, then all S-mode and U-mode memory accesses will fail.
\end{commentary}

Failed accesses generate an instruction, load, or store access-fault exception.  Note
that a single instruction may generate multiple accesses, which may not be
mutually atomic.  An access-fault exception is generated if at least one access
generated by an instruction fails, though other accesses generated by that
instruction may succeed with visible side effects.  Notably, instructions that
reference virtual memory are decomposed into multiple accesses.

On some implementations, misaligned loads, stores, and instruction fetches may
also be decomposed into multiple accesses, some of which may succeed before an
access-fault exception occurs.  In particular, a portion of a misaligned store
that passes the PMP check may become visible, even if another portion fails
the PMP check.  The same behavior may manifest for floating-point stores wider
than XLEN bits (e.g., the FSD instruction in RV32D), even when the store
address is naturally aligned.

\subsection{Physical Memory Protection and Paging}
\label{pmp-vmem}

The Physical Memory Protection mechanism is designed to compose with the
page-based virtual memory systems described in Chapter~\ref{supervisor}.  When
paging is enabled, instructions that access virtual memory may result in
multiple physical-memory accesses, including implicit references to the page
tables.  The PMP checks apply to all of these accesses.  The effective
privilege mode for implicit page-table accesses is S.

Implementations with virtual memory are permitted to perform address
translations speculatively and earlier than required by an explicit
virtual-memory access.  The PMP settings for the resulting physical address
may be checked at any point between the address translation and the explicit
virtual-memory access.  Hence, when the PMP settings are modified in a manner
that affects either the physical memory that holds the page tables or the
physical memory to which the page tables point, M-mode software must
synchronize the PMP settings with the virtual memory system.  This is
accomplished by executing an SFENCE.VMA instruction with {\em rs1}={\tt x0}
and {\em rs2}={\tt x0}, after the PMP CSRs are written.

If page-based virtual memory is not implemented, 
memory accesses check the PMP settings synchronously, so no fence is needed.
